CVE-2025-0665
eventfd double close
Project curl Security Advisory, February 5th 2025 - Permalink
VULNERABILITY
libcurl would wrongly close the same eventfd file descriptor twice when taking down a connection channel after having completed a threaded name resolve.
INFO
This flaw requires libcurl to get built with the threaded resolver
It requires that eventfd is used in the curl build. This feature is only used on 64-bit architectures.
The eventfd socket is used for inter-thread messaging and since the
communication was originally written to use socketpair()
only, there was two close()
calls done and the superfluous
one was left accidentally used because of an #ifdef
mistake.
This bug was reported (and fixed) immediately after the 8.11.1 release, but the security impact was not considered until later. This bug causes libcurl to act unreliably which many users have noticed and either avoided eventfd or the vulnerable version, thus somewhat reducing the impact of this problem.
It can also be worth noting that both close()
calls are
typically called within a few dozens of instructions, severely limiting
the ability for an external party to control which other file descriptor
this can be made to affect.
This bug is not considered a C mistake. It is not likely to have been avoided had we not been using C.
This flaw also affects the curl command line tool.
The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2025-0665 to this issue.
CWE-1341: Multiple Releases of Same Resource or Handle
Severity: Low
AFFECTED VERSIONS
- Affected version: curl 8.11.1
- Not affected versions: curl < 8.11.1 and >= 8.12.0
- Introduced-in: https://github.com/curl/curl/commit/92124838c6b7e09e3f35f
libcurl is used by many applications, but not always advertised as such!
SOLUTION
RECOMMENDATIONS
We suggest you take one of the following actions immediately, in order of preference:
A - Upgrade curl and libcurl to version 8.12.0
B - Apply the patch to your version and rebuild
C - Disable eventfd use in your build
D - Use the c-ares resolver backend
TIMELINE
This issue was reported to the curl project on January 22, 2025. We contacted distros@openwall on January 28, 2025.
curl 8.12.0 was released on February 5 2025 around 08:00 UTC, coordinated with the publication of this advisory.
CREDITS
- Reported-by: Ankom Coper
- Patched-by: Andy Pan
The original bug was first reported as a "normal" bug, by:
- Reported-by: Christian Heusel
Thanks a lot!