StarlingX

Debian CVE: CVE-2021-22945/CVE-2022-27781/CVE-2022-32207: curl: multiple CVEs

Bug #1994096 reported by Yue Tao
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
Medium
Yue Tao

Bug Description

Title
-----
CVE-2022-32207: [https://nvd.nist.gov/vuln/detail/CVE-2022-32207]
CVE-2022-27781: [https://nvd.nist.gov/vuln/detail/CVE-2022-27781]
CVE-2022-32207: [https://nvd.nist.gov/vuln/detail/CVE-2022-32207]

Brief Description
-----------------
CVE-2022-32207
When curl < 7.84.0 saves cookies, alt-svc and hsts data to local files, it makes the operation atomic by finalizing the operation with a rename from a temporary name to the final target file name.In that rename operation, it might accidentally *widen* the permissions for the target file, leaving the updated file accessible to more users than intended.

CVE-2022-27781
libcurl provides the `CURLOPT_CERTINFO` option to allow applications torequest details to be returned about a server's certificate chain.Due to an erroneous function, a malicious server could make libcurl built withNSS get stuck in a never-ending busy-loop when trying to retrieve thatinformation.

CVE-2022-32207
When curl < 7.84.0 saves cookies, alt-svc and hsts data to local files, it makes the operation atomic by finalizing the operation with a rename from a temporary name to the final target file name.In that rename operation, it might accidentally *widen* the permissions for the target file, leaving the updated file accessible to more users than intended.

Fix
---
'curl_7.74.0-1.3+deb11u1_amd64.deb===>curl_7.74.0-1.3+deb11u3_amd64.deb'
'libcurl3-gnutls_7.74.0-1.3+deb11u1_amd64.deb===>libcurl3-gnutls_7.74.0-1.3+deb11u3_amd64.deb'
'libcurl4_7.74.0-1.3+deb11u1_amd64.deb===>libcurl4_7.74.0-1.3+deb11u3_amd64.deb'

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tools (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/tools/+/862776

Changed in starlingx:
status: New → In Progress
Revision history for this message
Ghada Khalil (gkhalil) wrote :

screening: stx.8.0 / medium - CVE meets the stx fix criteria

information type: Public → Public Security
tags: added: stx.8.0 stx.security
Changed in starlingx:
importance: Undecided → Medium
assignee: nobody → Yue Tao (wrytao)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tools (master)

Reviewed: https://review.opendev.org/c/starlingx/tools/+/862776
Committed: https://opendev.org/starlingx/tools/commit/687d2b052ab2adb036785535a01e761ba4c9a4d8
Submitter: "Zuul (22348)"
Branch: master

commit 687d2b052ab2adb036785535a01e761ba4c9a4d8
Author: Yue Tao <email address hidden>
Date: Thu Oct 27 14:09:58 2022 +0800

    Debian: curl: fix CVE-2021-22945/CVE-2022-27781/CVE-2022-32207

    Upgrade curl, libcurl3-gnutls and libcurl4 to 7.74.0-1.3+deb11u3.

    Refer to:
    https://security-tracker.debian.org/tracker/CVE-2021-22945
    https://security-tracker.debian.org/tracker/CVE-2022-27781
    https://security-tracker.debian.org/tracker/CVE-2022-32207

    Also upgrade libcurl4-gnutls-dev and libcurl4-openssl-dev, which are the
    build dependencies of openscap, ceph, and systemd.

    Test Plan:

    Pass: build all
    Pass: boot

    Closes-bug: 1994096

    Signed-off-by: Yue Tao <email address hidden>
    Change-Id: I6594ff2a441d5508bee1a58b1f64d6f24ca96f1b

Changed in starlingx:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.