First Last Prev Next    This bug is not in your last search results.
Bug 1200736 - (CVE-2022-32207) VUL-0: CVE-2022-32207: curl: Unpreserved file permissions
(CVE-2022-32207)
VUL-0: CVE-2022-32207: curl: Unpreserved file permissions
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/335201/
CVSSv3.1:SUSE:CVE-2022-32207:6.2:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-06-21 07:36 UTC by Marcus Meissner
Modified: 2022-09-16 13:05 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Comment 2 Marcus Meissner 2022-06-21 07:54:58 UTC 
seems SUSE:SLE-15-SP4:Update only
Comment 3 Marcus Meissner 2022-06-27 07:53:21 UTC 
CVE-2022-32207: Unpreserved file permissions
============================================

Project curl Security Advisory, June 27th 2022 -
[Permalink](https://curl.se/docs/CVE-2022-32207.html)

VULNERABILITY
-------------

When curl saves cookies, alt-svc and hsts data to local files, it makes the
operation atomic by finalizing the operation with a rename from a temporary
name to the final target file name.

In that rename operation, it might accidentally *widen* the permissions for
the target file, leaving the updated file accessible to more users than
intended.

We are not aware of any exploit of this flaw.

INFO
----

CVE-2022-32207 was introduced in [commit
b834890a3fa3f52](https://github.com/curl/curl/commit/b834890a3fa3f52), shipped
in curl 7.69.0.

This problem can be worked-around by using a strict umask.

CWE-281: Improper Preservation of Permissions

Severity: Medium

AFFECTED VERSIONS
-----------------

- Affected versions: curl 7.69.0 to and including 7.83.1
- Not affected versions: curl < 7.69.0 and curl >= 7.84.0

libcurl is used by many applications, but not always advertised as such!

THE SOLUTION
------------

A [fix for CVE-2022-32207](https://github.com/curl/curl/commit/20f9dd6bae50b)

RECOMMENDATIONS
--------------

  A - Upgrade curl to version 7.84.0

  B - Apply the patch to your local version

  C - Make extra precautions to protect saved files (ie strict umask)

TIMELINE
--------

This issue was reported to the curl project on May 17, 2022. We contacted
distros@openwall on June 20.

libcurl 7.84.0 was released on June 27 2022, coordinated with the publication
of this advisory.

CREDITS
-------

This issue was reported by Harry Sintonen. Patched by Daniel Stenberg.
Comment 5 Swamp Workflow Management 2022-07-06 16:27:00 UTC 
SUSE-SU-2022:2305-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1200734,1200735,1200736,1200737
CVE References: CVE-2022-32205,CVE-2022-32206,CVE-2022-32207,CVE-2022-32208
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    curl-7.79.1-150400.5.3.1
SUSE Linux Enterprise Module for Basesystem 15-SP4 (src):    curl-7.79.1-150400.5.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 6 David Anes 2022-07-14 10:19:49 UTC 
All was done. Sending back to security.
Comment 7 Carlos López 2022-09-16 13:05:13 UTC 
Done, closing.
First Last Prev Next    This bug is not in your last search results.