StarlingX

[Debian] CVE: CVE-2023-23916: curl: An allocation of resources without limits or throttling vulnerability

Bug #2009332 reported by Yue Tao
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
High
Li Zhou

Bug Description

CVE-2023-23916: https://nvd.nist.gov/vuln/detail/CVE-2023-23916

An allocation of resources without limits or throttling vulnerability exists in curl <v7.88.0 based on the "chained" HTTP compression algorithms, meaning that a server response can be compressed multiple times and potentially with differentalgorithms. The number of acceptable "links" in this "decompression chain" wascapped, but the cap was implemented on a per-header basis allowing a maliciousserver to insert a virtually unlimited number of compression steps simply byusing many headers. The use of such a decompression chain could result in a "malloc bomb", making curl end up spending enormous amounts of allocated heap memory, or trying to and returning out of memory errors.

Score:
cve_id status cvss3Score av ac pr ui ai
CVE-2023-23916 fixed 7.5 N L N N H

References:
['curl_7.74.0-1.3+deb11u3_amd64.deb===>curl_7.74.0-1.3+deb11u7_amd64.deb', 'libcurl3-gnutls_7.74.0-1.3+deb11u3_amd64.deb===>libcurl3-gnutls_7.74.0-1.3+deb11u7_amd64.deb', 'libcurl4_7.74.0-1.3+deb11u3_amd64.deb===>libcurl4_7.74.0-1.3+deb11u7_amd64.deb', 'libcurl4-gnutls-dev_7.74.0-1.3+deb11u3_amd64.deb===>libcurl4-gnutls-dev_7.74.0-1.3+deb11u7_amd64.deb', 'libcurl4-openssl-dev_7.74.0-1.3+deb11u3_amd64.deb===>libcurl4-openssl-dev_7.74.0-1.3+deb11u7_amd64.deb']

CVE References

Yue Tao (wrytao)
Changed in starlingx:
status: New → Triaged
importance: Undecided → High
tags: added: stx.9.0 stx.security
information type: Public → Public Security
Yue Tao (wrytao)
Changed in starlingx:
assignee: nobody → Li Zhou (lzhou2)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tools (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/tools/+/877072

Changed in starlingx:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tools (master)

Reviewed: https://review.opendev.org/c/starlingx/tools/+/877072
Committed: https://opendev.org/starlingx/tools/commit/356407865c350835a9bbd46d7b55aa1dc0f373e8
Submitter: "Zuul (22348)"
Branch: master

commit 356407865c350835a9bbd46d7b55aa1dc0f373e8
Author: Li Zhou <email address hidden>
Date: Thu Mar 9 10:02:45 2023 +0800

    Debian: curl : fix CVE-2023-23916

    Upgrade packages to below version to fix CVE-2023-23916:
    curl_7.74.0-1.3+deb11u7_amd64.deb
    libcurl3-gnutls_7.74.0-1.3+deb11u7_amd64.deb
    libcurl4_7.74.0-1.3+deb11u7_amd64.deb
    libcurl4-gnutls-dev_7.74.0-1.3+deb11u7_amd64.deb
    libcurl4-openssl-dev_7.74.0-1.3+deb11u7_amd64.deb

    Refer to:
    https://security-tracker.debian.org/tracker/CVE-2023-23916

    Test Plan:
    Pass: downloader
    Pass: build-pkgs --clean --all
    Pass: build-image
    Pass: boot

    Closes-bug: #2009332

    Signed-off-by: Li Zhou <email address hidden>
    Change-Id: I9a802997067ec04a27267c79e4d8aefacefd8c83

Changed in starlingx:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.