Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
[SECURITY ADVISORY] CVE-2022-42915: HTTP proxy double-free (curl)
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Daniel Stenberg via curl-users <curl-users_at_lists.haxx.se>
Date: Wed, 26 Oct 2022 08:26:44 +0200 (CEST)
CVE-2022-42915: HTTP proxy double-free
======================================
Project curl Security Advisory, October 26 2022 -
[Permalink](https://curl.se/docs/CVE-2022-42915.html)
VULNERABILITY
-------------
If curl is told to use an HTTP proxy for a transfer with a non-HTTP(S) URL, it
sets up the connection to the remote server by issuing a `CONNECT` request to
the proxy, and then *tunnels* the rest of protocol through.
An HTTP proxy might refuse this request (HTTP proxies often only allow
outgoing connections to specific port numbers, like 443 for HTTPS) and instead
return a non-200 response code to the client.
Due to flaws in the error/cleanup handling, this could trigger a double-free
in curl if one of the following schemes were used in the URL for the transfer:
`dict`, `gopher`, `gophers`, `ldap`, `ldaps`, `rtmp`, `rtmps`, `telnet`
We are not aware of any exploit of this flaw.
INFO
Date: Wed, 26 Oct 2022 08:26:44 +0200 (CEST)
CVE-2022-42915: HTTP proxy double-free
======================================
Project curl Security Advisory, October 26 2022 -
[Permalink](https://curl.se/docs/CVE-2022-42915.html)
VULNERABILITY
-------------
If curl is told to use an HTTP proxy for a transfer with a non-HTTP(S) URL, it
sets up the connection to the remote server by issuing a `CONNECT` request to
the proxy, and then *tunnels* the rest of protocol through.
An HTTP proxy might refuse this request (HTTP proxies often only allow
outgoing connections to specific port numbers, like 443 for HTTPS) and instead
return a non-200 response code to the client.
Due to flaws in the error/cleanup handling, this could trigger a double-free
in curl if one of the following schemes were used in the URL for the transfer:
`dict`, `gopher`, `gophers`, `ldap`, `ldaps`, `rtmp`, `rtmps`, `telnet`
We are not aware of any exploit of this flaw.
INFO
---- The bug was introduced in [this commit](https://github.com/curl/curl/commit/51c0ebcff2140c3). The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2022-42915 to this issue. CWE-415: Double Free Severity: medium AFFECTED VERSIONS ----------------- - Affected versions: curl 7.77.0 to and including 7.85.0 - Not affected versions: curl < 7.77.0 and >= 7.86.0 libcurl is used by many applications, but not always advertised as such! THE SOLUTION ------------ [The fix for CVE-2022-42915](https://github.com/curl/curl/commit/55e1875729f9d9fc7315ce) RECOMMENDATIONS -------------- A - Upgrade curl to version 7.86.0 B - Apply the patch to your local version C - Do not do use HTTP proxy TIMELINE -------- This issue was reported to the curl project on October 4, 2022. We contacted distros_at_openwall on October 18, 2022. libcurl 7.86.0 was released on October 26 2022, coordinated with the publication of this advisory. CREDITS ------- This report was part of the security audit performed by Trail of Bits. - Reported-by: Trail of Bits - Patched-by: Daniel Stenberg Thanks a lot! -- / daniel.haxx.se | Commercial curl support up to 24x7 is available! | Private help, bug fixes, support, ports, new features | https://curl.se/support.html -- Unsubscribe: https://lists.haxx.se/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2022-10-26