Bug 1213237 (CVE-2023-32001) - VUL-0: CVE-2023-32001: curl: fopen race condition
Summary: VUL-0: CVE-2023-32001: curl: fopen race condition
Status: RESOLVED FIXED
Alias: CVE-2023-32001
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/372148/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-32001:5.5:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2023-07-12 08:41 UTC by Robert Frohl
Modified: 2024-03-12 15:52 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 14 Marcus Meissner 2023-07-19 07:16:14 UTC
is public.
fopen race condition
====================

Project curl Security Advisory, July 19 2023 -
[Permalink](https://curl.se/docs/CVE-2023-32001.html)

VULNERABILITY
-------------

libcurl can be told to save cookie, HSTS and/or alt-svc data to files. When
doing this, it called `stat()` followed by `fopen()` in a way that made it
vulnerable to a TOCTOU race condition problem.

By exploiting this flaw, an attacker could trick the victim to create or
overwrite protected files holding this data in ways it was not intended to.

INFO
----

The attacker needs permissions and rights enough to be able to create or
rename directory entries in the directory the victim saves their files.

This race condition modifies the behavior of symbolic link files in affected
components, they might be followed instead of being overwritten when the
condition is met leading to undesired and potentially destructive behavior.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2023-32001 to this issue.

CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition

Severity: Medium
AFFECTED VERSIONS
-----------------

- Affected versions: libcurl 7.84.0 to and including 8.1.2
- Not affected versions: libcurl < 7.84.0 and >= 8.2.0
- Introduced-in: https://github.com/curl/curl/commit/20f9dd6bae50b722

libcurl is used by many applications, but not always advertised as such!

SOLUTION
------------

- Fixed-in: https://github.com/curl/curl/commit/0c667188e0c6cda615a0

RECOMMENDATIONS
--------------

  A - Upgrade curl to version 8.2.0

  B - Apply the patch to your local version

  C - Do not save cookie, HSTS or alt-svc data

TIMELINE
--------

This issue was reported to the curl project on June 27, 2023. We contacted
distros@openwall on July 12, 2023.

libcurl 8.2.0 was released on July 2023, coordinated with the publication of
this advisory.

CREDITS
-------

- Reported-by: selmelc on hackerone
- Patched-by: selmelc on hackerone

Thanks a lot!

-- 

  / daniel.haxx.se
  | Commercial curl support up to 24x7 is available!
  | Private help, bug fixes, support, ports, new features
  | https://curl.se/support.html
Comment 17 Maintenance Automation 2023-07-19 12:30:04 UTC
SUSE-SU-2023:2880-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1213237
CVE References: CVE-2023-32001
Sources used:
SUSE Linux Enterprise Software Development Kit 12 SP5 (src): curl-8.0.1-11.68.1
SUSE Linux Enterprise High Performance Computing 12 SP5 (src): curl-8.0.1-11.68.1
SUSE Linux Enterprise Server 12 SP5 (src): curl-8.0.1-11.68.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): curl-8.0.1-11.68.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 18 Maintenance Automation 2023-07-19 20:35:13 UTC
SUSE-SU-2023:2891-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1213237
CVE References: CVE-2023-32001
Sources used:
openSUSE Leap Micro 5.3 (src): curl-8.0.1-150400.5.26.1
openSUSE Leap 15.4 (src): curl-8.0.1-150400.5.26.1
openSUSE Leap 15.5 (src): curl-8.0.1-150400.5.26.1
SUSE Linux Enterprise Micro for Rancher 5.3 (src): curl-8.0.1-150400.5.26.1
SUSE Linux Enterprise Micro 5.3 (src): curl-8.0.1-150400.5.26.1
SUSE Linux Enterprise Micro for Rancher 5.4 (src): curl-8.0.1-150400.5.26.1
SUSE Linux Enterprise Micro 5.4 (src): curl-8.0.1-150400.5.26.1
Basesystem Module 15-SP4 (src): curl-8.0.1-150400.5.26.1
Basesystem Module 15-SP5 (src): curl-8.0.1-150400.5.26.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 20 Gianluca Gabrielli 2023-08-28 07:07:58 UTC
FTR: Around 11:54 of the 27/08/2023, the string `CVE-2023-32001: fopen race condition` was moved from the "Past vulnerabilities" to the "Retracted security vulnerabilities" section [0].


[0] https://curl.se/docs/security.html