Bugzilla – Bug 1213237
VUL-0: CVE-2023-32001: curl: fopen race condition
Last modified: 2024-03-12 15:52:51 UTC
is public. fopen race condition ==================== Project curl Security Advisory, July 19 2023 - [Permalink](https://curl.se/docs/CVE-2023-32001.html) VULNERABILITY ------------- libcurl can be told to save cookie, HSTS and/or alt-svc data to files. When doing this, it called `stat()` followed by `fopen()` in a way that made it vulnerable to a TOCTOU race condition problem. By exploiting this flaw, an attacker could trick the victim to create or overwrite protected files holding this data in ways it was not intended to. INFO ---- The attacker needs permissions and rights enough to be able to create or rename directory entries in the directory the victim saves their files. This race condition modifies the behavior of symbolic link files in affected components, they might be followed instead of being overwritten when the condition is met leading to undesired and potentially destructive behavior. The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2023-32001 to this issue. CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition Severity: Medium AFFECTED VERSIONS ----------------- - Affected versions: libcurl 7.84.0 to and including 8.1.2 - Not affected versions: libcurl < 7.84.0 and >= 8.2.0 - Introduced-in: https://github.com/curl/curl/commit/20f9dd6bae50b722 libcurl is used by many applications, but not always advertised as such! SOLUTION ------------ - Fixed-in: https://github.com/curl/curl/commit/0c667188e0c6cda615a0 RECOMMENDATIONS -------------- A - Upgrade curl to version 8.2.0 B - Apply the patch to your local version C - Do not save cookie, HSTS or alt-svc data TIMELINE -------- This issue was reported to the curl project on June 27, 2023. We contacted distros@openwall on July 12, 2023. libcurl 8.2.0 was released on July 2023, coordinated with the publication of this advisory. CREDITS ------- - Reported-by: selmelc on hackerone - Patched-by: selmelc on hackerone Thanks a lot! -- / daniel.haxx.se | Commercial curl support up to 24x7 is available! | Private help, bug fixes, support, ports, new features | https://curl.se/support.html
SUSE-SU-2023:2880-1: An update that solves one vulnerability can now be installed. Category: security (moderate) Bug References: 1213237 CVE References: CVE-2023-32001 Sources used: SUSE Linux Enterprise Software Development Kit 12 SP5 (src): curl-8.0.1-11.68.1 SUSE Linux Enterprise High Performance Computing 12 SP5 (src): curl-8.0.1-11.68.1 SUSE Linux Enterprise Server 12 SP5 (src): curl-8.0.1-11.68.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): curl-8.0.1-11.68.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:2891-1: An update that solves one vulnerability can now be installed. Category: security (moderate) Bug References: 1213237 CVE References: CVE-2023-32001 Sources used: openSUSE Leap Micro 5.3 (src): curl-8.0.1-150400.5.26.1 openSUSE Leap 15.4 (src): curl-8.0.1-150400.5.26.1 openSUSE Leap 15.5 (src): curl-8.0.1-150400.5.26.1 SUSE Linux Enterprise Micro for Rancher 5.3 (src): curl-8.0.1-150400.5.26.1 SUSE Linux Enterprise Micro 5.3 (src): curl-8.0.1-150400.5.26.1 SUSE Linux Enterprise Micro for Rancher 5.4 (src): curl-8.0.1-150400.5.26.1 SUSE Linux Enterprise Micro 5.4 (src): curl-8.0.1-150400.5.26.1 Basesystem Module 15-SP4 (src): curl-8.0.1-150400.5.26.1 Basesystem Module 15-SP5 (src): curl-8.0.1-150400.5.26.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
FTR: Around 11:54 of the 27/08/2023, the string `CVE-2023-32001: fopen race condition` was moved from the "Past vulnerabilities" to the "Retracted security vulnerabilities" section [0]. [0] https://curl.se/docs/security.html