Bug 1175109 (CVE-2020-8231) - VUL-1: CVE-2020-8231: curl: libcurl - wrong connect-only connection
Summary: VUL-1: CVE-2020-8231: curl: libcurl - wrong connect-only connection
Status: RESOLVED FIXED
Alias: CVE-2020-8231
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/265014/
Whiteboard: CVSSv3.1:SUSE:CVE-2020-8231:3.7:(AV:N...
Keywords:
Depends on:
Blocks:
 
Reported: 2020-08-11 11:22 UTC by Robert Frohl
Modified: 2024-03-12 15:50 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 7 Wolfgang Frisch 2020-08-19 08:16:02 UTC
libcurl: wrong connect-only connection
======================================

Project curl Security Advisory, August 19th 2020 -
[Permalink](https://curl.haxx.se/docs/CVE-2020-8231.html)

VULNERABILITY
-------------

An application that performs multiple requests with libcurl's multi API and
sets the `CURLOPT_CONNECT_ONLY` option, might in rare circumstances experience
that when subsequently using the setup connect-only transfer, libcurl will
pick and use the wrong connection - and instead pick another one the
application has created since then.

`CURLOPT_CONNECT_ONLY` is the option to tell libcurl to not perform an actual
transfer, only connect. When that operation is completed, libcurl remembers
which connection it used for that transfer and "easy handle". It remembers the
connection using a pointer to the internal `connectdata` struct in memory.

If more transfers are then done with the same multi handle before the
connect-only connection is used, leading to the initial connect-only
connection to get closed (for example due to idle time-out) while also new
transfers (and connections) are setup, such a *new* connection might end up
getting the exact same memory address as the now closed connect-only
connection.

If after those operations, the application then wants to use the original
transfer's connect-only setup to for example use `curl_easy_send()` to send
raw data over that connection, libcurl could **erroneously** find an existing
connection still being alive at the address it remembered since before even
though this is now a new and different connection.

The application could then accidentally send data over that connection which
wasn't at all intended for that recipient, entirely unknowingly.

We are not aware of any exploit of this flaw.

INFO
----

This bug has existed at least since commit
[c43127414d](https://github.com/curl/curl/commit/c43127414d), first shipped in
curl 7.29.0.

This flaw cannot trigger for users of the curl tool but only for applications
using libcurl and the `CURLOPT_CONNECT_ONLY` option.

The flaw only happens if the exact same memory address is re-used again for
the new connection as for the original connect-only connection.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2020-8231 to this issue.

CWE-825: Expired Pointer Dereference

Severity: Low

AFFECTED VERSIONS
-----------------

- Affected versions: libcurl 7.29.0 to and including 7.71.1
- Not affected versions: libcurl < 7.29.0 and libcurl >= 7.72.0

THE SOLUTION
------------

A [fix for CVE-2020-8231](https://github.com/curl/curl/commit/3c9e021f86872baae412a427e807fbfa2f3e8)

RECOMMENDATIONS
--------------

We suggest you take one of the following actions immediately, in order of
preference:

 A - Upgrade curl to version 7.72.0

 B - Apply the patch on your curl version and rebuild

 C - Do not use `CURLOPT_CONNECT_ONLY`

TIMELINE
--------

This issue was first reported to the curl project on July 31, 2020.

This advisory was posted on August 19th 2020.

CREDITS
-------

This issue was reported by Marc Aldorasi. Patched by Daniel Stenberg.
Comment 8 Pedro Monreal Gonzalez 2020-08-19 08:16:46 UTC
Factory submission:
   https://build.opensuse.org/request/show/827744
Comment 10 Swamp Workflow Management 2020-09-02 13:13:47 UTC
SUSE-SU-2020:2446-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1175109
CVE References: CVE-2020-8231
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    curl-7.60.0-3.32.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Swamp Workflow Management 2020-09-02 13:17:57 UTC
SUSE-SU-2020:2444-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1175109
CVE References: CVE-2020-8231
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    curl-7.60.0-11.6.1
SUSE Linux Enterprise Server 12-SP5 (src):    curl-7.60.0-11.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Swamp Workflow Management 2020-09-02 13:18:49 UTC
SUSE-SU-2020:2445-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1175109
CVE References: CVE-2020-8231
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    curl-7.66.0-4.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Swamp Workflow Management 2020-09-02 16:18:46 UTC
SUSE-SU-2020:14481-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1175109
CVE References: CVE-2020-8231
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 11-SECURITY (src):    curl-openssl1-7.37.0-70.52.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Swamp Workflow Management 2020-09-05 16:14:42 UTC
openSUSE-SU-2020:1345-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1175109
CVE References: CVE-2020-8231
JIRA References: 
Sources used:
openSUSE Leap 15.1 (src):    curl-7.60.0-lp151.5.15.1, curl-mini-7.60.0-lp151.5.15.1
Comment 15 Swamp Workflow Management 2020-09-07 13:29:36 UTC
openSUSE-SU-2020:1359-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1175109
CVE References: CVE-2020-8231
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    curl-7.66.0-lp152.3.6.1
Comment 16 Swamp Workflow Management 2020-09-21 16:17:10 UTC
openSUSE-SU-2020:1494-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1175109
CVE References: CVE-2020-8231
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    curl-7.66.0-lp152.3.9.1, curl-mini-7.66.0-lp152.3.9.1
Comment 19 Swamp Workflow Management 2021-05-27 19:29:02 UTC
SUSE-SU-2021:1786-1: An update that solves 6 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1175109,1177976,1179398,1179399,1179593,1183933,1186114
CVE References: CVE-2020-8231,CVE-2020-8284,CVE-2020-8285,CVE-2020-8286,CVE-2021-22876,CVE-2021-22898
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    curl-7.60.0-4.20.1
SUSE OpenStack Cloud 9 (src):    curl-7.60.0-4.20.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    curl-7.60.0-4.20.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    curl-7.60.0-4.20.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 20 Marcus Meissner 2021-08-09 12:52:35 UTC
released