Bug 991391 - (CVE-2016-5421) VUL-0: CVE-2016-5421: curl: use of connection struct after free
(CVE-2016-5421)
VUL-0: CVE-2016-5421: curl: use of connection struct after free
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/171509/
maint:running:62921:moderate CVSSv2:S...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-07-31 12:35 UTC by Andreas Stieger
Modified: 2022-09-21 08:22 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2016-07-31 12:35:56 UTC
Created attachment 686185 [details]
work in progress patch

EMBARGOED
CRD: 2016-08-03

use of connection struct after free
===================================

Project cURL Security Advisory, August 3rd 2016 -
[Permalink](https://curl.haxx.se/docs/adv_20160803C.html)

VULNERABILITY
-------------

libcurl is vulnerable to a use-after-free flaw.

libcurl works with easy handles using the type 'CURL *' that are objects the
application creates using curl_easy_init(). They are the handles that are all
each associated with a single transfer at a time. libcurl also has an internal
struct that represents and holds most state that is related to a single
connection. An easy handle can hold references to one or many such connection
structs depending on the requested operations.

When using libcurl's multi interface, an application performs transfers by
adding one or more easy handles to the multi handle and then it can drive all
those transfers in parallel.

Due to a flaw, libcurl could leave a pointer to a freed connection struct
dangling in an easy handle that was previously added to a multi handle when
curl_multi_cleanup() is called with an easy handle still added to it. This
does not seem to cause any notable harm if the handle is then closed properly.

However, if the easy handle would instead get used again with the easy
interface and curl_easy_perform() to do another transfer, it would blindly use
the connection struct pointer now pointing to freed memory.

An application could be made to allocate its own fake version of the connect
struct, fill in some data and then have the curl_easy_perform() call do
something that clearly was not intended by the original code.

For example, this could be an application using a component or library that
uses libcurl to do something against fixed URLs or fixed host names or with a
set of fixed options, but using this flaw the application can then make the
component to do something completely different and unintended.

Pseudo code for a bad application

~~~
   easy = curl_easy_init();
   curl_easy_setopt(easy, CURLOPT_URL, "http://example.com/");

   // --- start of code to confuse libcurl ---
   multi = curl_multi_init();
   curl_multi_add_handle(multi, easy);
   curl_multi_perform(multi, &still_running);
   curl_multi_cleanup(multi);

   // --- attack code
   allocate_fake_connection_struct()
   fill_in_fake_connection_struct()

   // ---- end of confusion code

   // now this is called, it will not use example.com at all even if the option
   // above asks for it...

   curl_easy_perform(easy);
~~~

This flaw can also be exploited using libcurl bindings in other languages.

We are not aware of any exploit of this flaw.

INFO
----

This flaw does not affect the curl command line tool.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2016-XXXX to this issue.

AFFECTED VERSIONS
-----------------

- Affected versions: libcurl 7.32.0 to and including 7.50.0
- Not affected versions: libcurl >= 7.50.1

libcurl is used by many applications, but not always advertised as such!

THE SOLUTION
------------

In version 7.50.1, curl clears the memory pointer immediately after free thus
removing this vulnerability.

A [patch for CVE-2016-XXXX](https://curl.haxx.se/CVE-C.patch) is available.

RECOMMENDATIONS
---------------

We suggest you take one of the following actions immediately, in order of
preference:

  A - Upgrade curl and libcurl to version 7.50.1

  B - Apply the patch to your version and rebuild

  C - Do not expose easy handles from your libcurl using components

TIME LINE
---------

Reported on July 3, 2016.

libcurl 7.50.1 was released on August 3 2016, coordinated with the publication
of this advisory.

CREDITS
-------

Found and explained to us by Marcelo Echeverria and Fernando Muñoz.
Comment 1 Swamp Workflow Management 2016-07-31 22:00:47 UTC
bugbot adjusting priority
Comment 2 Swamp Workflow Management 2016-08-01 09:05:13 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2016-08-15.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/62921
Comment 4 Bernhard Wiedemann 2016-08-24 12:01:03 UTC
This is an autogenerated message for OBS integration:
This bug (991391) was mentioned in
https://build.opensuse.org/request/show/421545 13.2 / curl
Comment 6 Swamp Workflow Management 2016-09-02 16:09:51 UTC
openSUSE-SU-2016:2227-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 991389,991390,991391,991746
CVE References: CVE-2016-5419,CVE-2016-5420,CVE-2016-5421
Sources used:
openSUSE 13.2 (src):    curl-7.42.1-25.1
Comment 8 Swamp Workflow Management 2016-09-16 19:13:59 UTC
SUSE-SU-2016:2330-1: An update that solves four vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 991389,991390,991391,991746,997420
CVE References: CVE-2016-5419,CVE-2016-5420,CVE-2016-5421,CVE-2016-7141
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    curl-7.37.0-28.1
SUSE Linux Enterprise Server 12-SP1 (src):    curl-7.37.0-28.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    curl-7.37.0-28.1
Comment 9 Swamp Workflow Management 2016-09-26 00:09:14 UTC
openSUSE-SU-2016:2379-1: An update that solves four vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 991389,991390,991391,991746,997420
CVE References: CVE-2016-5419,CVE-2016-5420,CVE-2016-5421,CVE-2016-7141
Sources used:
openSUSE Leap 42.1 (src):    curl-7.37.0-13.1
Comment 10 Marcus Meissner 2016-12-16 16:16:52 UTC
released