Bug 1215026 (CVE-2023-38039) - VUL-0: CVE-2023-38039: curl: HTTP headers eat all memory
Summary: VUL-0: CVE-2023-38039: curl: HTTP headers eat all memory
Status: RESOLVED FIXED
Alias: CVE-2023-38039
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/377441/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-38039:7.5:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2023-09-06 06:44 UTC by Alexander Bergmann
Modified: 2024-04-15 15:08 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 7 Gianluca Gabrielli 2023-09-13 07:19:55 UTC
Public
---

VULNERABILITY

When curl retrieves an HTTP response, it stores the incoming headers so that they can be accessed later via the libcurl headers API.

However, curl did not have a limit in how many or how large headers it would accept in a response, allowing a malicious server to stream an endless series of headers and eventually cause curl to run out of heap memory.
INFO

Since libcurl allocates memory on the heap to store each header individually, the exact number of headers required for this to become a problem will vary greatly from case to case. As the headers typically need to be transfered over a network to curl, the available bandwidth will also affect how likely or how fast this problem can be triggered.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2023-38039 to this issue.

CWE-770: Allocation of Resources Without Limits or Throttling

Severity: Medium
AFFECTED VERSIONS

    Affected versions: libcurl 7.84.0 to and including 8.2.1
    Not affected versions: libcurl < 7.84.0 and >= 8.3.0
    Introduced-in: https://github.com/curl/curl/commit/4d94fac9f0d1dd

libcurl is used by many applications, but not always advertised as such!

This flaw existed already in 7.83.0 source code but in that release the feature was still marked EXPERIMENTAL and was not enabled in normal builds. The label was removed in 7.84.0 why we consider that as the first vulnerable version.
SOLUTION

Starting in curl 8.3.0, curl returns an error if the total size of the headers in a single HTTP response exceeds 300 KB.

    Fixed-in: https://github.com/curl/curl/commit/3ee79c1674fd6f9

RECOMMENDATIONS

A - Upgrade curl to version 8.3.0

B - Apply the patch to your local version

C - Monitor response headers and return error if too much
TIMELINE

This issue was reported to the curl project on July 17, 2023. We contacted distros@openwall on September 6, 2023.

This report arrived before the 8.2.0 and 8.2.1 releases shipped (on July 19 and July 26), but we did not manage to work it through and fix it in time for those releases.

libcurl 8.3.0 was released on September 13 2023, coordinated with the publication of this advisory.
CREDITS

    Reported-by: selmelc on hackerone
    Patched-by: Daniel Stenberg


References
https://curl.se/docs/CVE-2023-38039.html
Comment 11 Maintenance Automation 2023-09-20 08:30:24 UTC
SUSE-SU-2023:3692-1: An update that solves one vulnerability can now be installed.

Category: security (important)
Bug References: 1215026
CVE References: CVE-2023-38039
Sources used:
SUSE Linux Enterprise Software Development Kit 12 SP5 (src): curl-8.0.1-11.71.1
SUSE Linux Enterprise High Performance Computing 12 SP5 (src): curl-8.0.1-11.71.1
SUSE Linux Enterprise Server 12 SP5 (src): curl-8.0.1-11.71.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): curl-8.0.1-11.71.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Maintenance Automation 2023-09-27 20:31:22 UTC
SUSE-SU-2023:3823-1: An update that solves one vulnerability can now be installed.

Category: security (important)
Bug References: 1215026
CVE References: CVE-2023-38039
Sources used:
openSUSE Leap 15.4 (src): curl-8.0.1-150400.5.29.1
openSUSE Leap 15.5 (src): curl-8.0.1-150400.5.29.1
SUSE Linux Enterprise Micro for Rancher 5.3 (src): curl-8.0.1-150400.5.29.1
SUSE Linux Enterprise Micro 5.3 (src): curl-8.0.1-150400.5.29.1
SUSE Linux Enterprise Micro for Rancher 5.4 (src): curl-8.0.1-150400.5.29.1
SUSE Linux Enterprise Micro 5.4 (src): curl-8.0.1-150400.5.29.1
Basesystem Module 15-SP4 (src): curl-8.0.1-150400.5.29.1
Basesystem Module 15-SP5 (src): curl-8.0.1-150400.5.29.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Marcus Meissner 2024-04-15 15:08:24 UTC
released