Docs Overview
Project
Bug Bounty Bug Report Code of conduct Dependencies Donate FAQ Features Governance History Install Known Bugs Logo TODO Web Site Info
Protocols
alt-svc CA Extract HSTS HTTP cookies HTTP/2 HTTP/3 MQTT SSL certs SSL libs compared URL syntax WebSocket
Releases
Changelog curl CVEs Release Table Version Nums Vulnerabilities
Tool
Comparison Table curl man page HTTP Scripting mk-ca-bundle Tutorial When options were added
Who and Why
Companies Copyright Sponsors Thanks The name
curl / Docs / curl CVEs / fopen race condition
Related:
Audits
Bug Bounty
Changelog
curl CVEs
JSON metadata
Original report
Vulnerability Disclosure
Vulnerabilities Table
Awarded 2400 USD

CVE-2023-32001

fopen race condition

Project curl Security Advisory, July 19 2023 - Permalink

RETRACTED

As of August 2023, the curl security team has retracted this issue and we no longer consider this a curl security flaw. This race condition is a potential issue for users, but one that cannot easily be avoided or fixed for users who insist in creating and storing sensitive files in the same directory where curl saves files - in a multi-user system.

For the sake of history, we keep the advisory as it was originally stated below.

VULNERABILITY

libcurl can be told to save cookie, HSTS and/or alt-svc data to files. When doing this, it called stat() followed by fopen() in a way that made it vulnerable to a TOCTOU race condition problem.

By exploiting this flaw, an attacker could trick the victim into creating or overwriting protected files holding this data in ways it was not intended to.

INFO

The attacker needs permissions and rights sufficient enough to be able to create or rename directory entries in the directory the victim saves their files.

This race condition modifies the behavior of symbolic link files in affected components, since they might be followed instead of being overwritten when the condition is met, leading to both undesired and potentially destructive behavior.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2023-32001 to this issue.

CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition

Severity: Medium

AFFECTED VERSIONS

libcurl is used by many applications, but not always advertised as such!

SOLUTION

RECOMMENDATIONS

A - Upgrade curl to version 8.2.0

B - Apply the patch to your local version

C - Do not save cookie, HSTS or alt-svc data

TIMELINE

This issue was reported to the curl project on June 27, 2023. We contacted distros@openwall on July 12, 2023.

libcurl 8.2.0 was released on July 19 2023, coordinated with the publication of this advisory.

CREDITS

Thanks a lot!