Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
Re: curl: CVE-2022-43552: HTTP Proxy deny use-after-free
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Adam Sherman via curl-users <curl-users_at_lists.haxx.se>
Date: Wed, 21 Dec 2022 18:27:59 -0500
Hello Daniel & Wolf, Curl users,
Still having issues from my Saranac Lake NY home IP address. When I go to
use the " curl wttr.in/Saranac_Lake " command I get taken to a place called
"OymyAkon" instead and it says "404 coldest place known to man" with a
forecast of only freezing fog and negative temperatures all written in a
dramatic purple colored text..However when I then execute the command in
this context " curl wttr.in/Saranac " I am able to receive the weather for
the town "Saranac" in Clinton County which is about thirty minutes away
from Saranac Lake. This is accurate enough for me to pull a reading for the
town of Saranac Lake using curl however the spoof or joke on this end of
the server isn't funny anymore and I would like a permanent fix to this. I
want to be able to request an accurate reading from the server that
supplies the numbers for the town of Saranac Lake, New York. That is my
goal here. Thanks again for your help and also your valuable time.
Sincerely,
Adam N. Sherman
On Wed, Dec 21, 2022 at 2:24 AM Daniel Stenberg via curl-users <
curl-users_at_lists.haxx.se> wrote:
> CVE-2022-43552: HTTP Proxy deny use-after-free
> ==============================================
>
> Project curl Security Advisory, December 21 2022 -
> [Permalink](https://curl.se/docs/CVE-2022-43552.html)
>
> VULNERABILITY
> -------------
>
> curl can be asked to *tunnel* virtually all protocols it supports through
> an
> HTTP proxy. HTTP proxies can (and often do) deny such tunnel operations
> using
> an appropriate HTTP error response code.
>
> When getting denied to tunnel the specific protocols SMB or TELNET, curl
> would
> use a heap-allocated struct after it had been freed, in its transfer
> shutdown
> code path.
>
> We are not aware of any exploit of this flaw.
>
> INFO
> ----
>
> This flaw was introduced for TELNET in [commit
> b7eeb6e67fca68](https://github.com/curl/curl/commit/b7eeb6e67fca68) in
> September 7, 2006. The SMB part was introduced in 2014 with [commit
> aec2e865f06669](https://github.com/curl/curl/commit/aec2e865f06669).
>
> The Common Vulnerabilities and Exposures (CVE) project has assigned the
> name
> CVE-2022-43552 to this issue.
>
> CWE-416: Use After Free
>
> Severity: Low
>
> AFFECTED VERSIONS
> -----------------
>
> - Affected versions: curl 7.16.0 to and including 7.86.0
> - Not affected versions: curl < 7.16.0 and curl >= 7.86.0
>
> libcurl is used by many applications, but not always advertised as such!
>
> THE SOLUTION
> ------------
>
> A [fix for CVE-2022-43552](
> https://github.com/curl/curl/commit/4f20188ac644afe17)
>
> RECOMMENDATIONS
> --------------
>
> A - Upgrade curl to version 7.87.0
>
> B - Apply the patch to your local version
>
> C - Avoid using SMB and TELNET or disable HTTP proxy use
>
> TIMELINE
> --------
>
> This issue was reported to the curl project on November 7, 2022. We
> contacted
> distros_at_openwall on December 12, 2022.
>
> curl 7.87.0 was released on December 21 2022, coordinated with the
> publication
> of this advisory.
>
> CREDITS
> -------
>
> - Reported-by: Trail of Bits
> - Patched-by: Daniel Stenberg
>
> Thanks a lot!
>
> --
>
> / daniel.haxx.se
> | Commercial curl support up to 24x7 is available!
> | Private help, bug fixes, support, ports, new features
> | https://curl.se/support.html
> --
> Unsubscribe: https://lists.haxx.se/listinfo/curl-users
> Etiquette: https://curl.se/mail/etiquette.html
>
Date: Wed, 21 Dec 2022 18:27:59 -0500
Hello Daniel & Wolf, Curl users,
Still having issues from my Saranac Lake NY home IP address. When I go to
use the " curl wttr.in/Saranac_Lake " command I get taken to a place called
"OymyAkon" instead and it says "404 coldest place known to man" with a
forecast of only freezing fog and negative temperatures all written in a
dramatic purple colored text..However when I then execute the command in
this context " curl wttr.in/Saranac " I am able to receive the weather for
the town "Saranac" in Clinton County which is about thirty minutes away
from Saranac Lake. This is accurate enough for me to pull a reading for the
town of Saranac Lake using curl however the spoof or joke on this end of
the server isn't funny anymore and I would like a permanent fix to this. I
want to be able to request an accurate reading from the server that
supplies the numbers for the town of Saranac Lake, New York. That is my
goal here. Thanks again for your help and also your valuable time.
Sincerely,
Adam N. Sherman
On Wed, Dec 21, 2022 at 2:24 AM Daniel Stenberg via curl-users <
curl-users_at_lists.haxx.se> wrote:
> CVE-2022-43552: HTTP Proxy deny use-after-free
> ==============================================
>
> Project curl Security Advisory, December 21 2022 -
> [Permalink](https://curl.se/docs/CVE-2022-43552.html)
>
> VULNERABILITY
> -------------
>
> curl can be asked to *tunnel* virtually all protocols it supports through
> an
> HTTP proxy. HTTP proxies can (and often do) deny such tunnel operations
> using
> an appropriate HTTP error response code.
>
> When getting denied to tunnel the specific protocols SMB or TELNET, curl
> would
> use a heap-allocated struct after it had been freed, in its transfer
> shutdown
> code path.
>
> We are not aware of any exploit of this flaw.
>
> INFO
> ----
>
> This flaw was introduced for TELNET in [commit
> b7eeb6e67fca68](https://github.com/curl/curl/commit/b7eeb6e67fca68) in
> September 7, 2006. The SMB part was introduced in 2014 with [commit
> aec2e865f06669](https://github.com/curl/curl/commit/aec2e865f06669).
>
> The Common Vulnerabilities and Exposures (CVE) project has assigned the
> name
> CVE-2022-43552 to this issue.
>
> CWE-416: Use After Free
>
> Severity: Low
>
> AFFECTED VERSIONS
> -----------------
>
> - Affected versions: curl 7.16.0 to and including 7.86.0
> - Not affected versions: curl < 7.16.0 and curl >= 7.86.0
>
> libcurl is used by many applications, but not always advertised as such!
>
> THE SOLUTION
> ------------
>
> A [fix for CVE-2022-43552](
> https://github.com/curl/curl/commit/4f20188ac644afe17)
>
> RECOMMENDATIONS
> --------------
>
> A - Upgrade curl to version 7.87.0
>
> B - Apply the patch to your local version
>
> C - Avoid using SMB and TELNET or disable HTTP proxy use
>
> TIMELINE
> --------
>
> This issue was reported to the curl project on November 7, 2022. We
> contacted
> distros_at_openwall on December 12, 2022.
>
> curl 7.87.0 was released on December 21 2022, coordinated with the
> publication
> of this advisory.
>
> CREDITS
> -------
>
> - Reported-by: Trail of Bits
> - Patched-by: Daniel Stenberg
>
> Thanks a lot!
>
> --
>
> / daniel.haxx.se
> | Commercial curl support up to 24x7 is available!
> | Private help, bug fixes, support, ports, new features
> | https://curl.se/support.html
> --
> Unsubscribe: https://lists.haxx.se/listinfo/curl-users
> Etiquette: https://curl.se/mail/etiquette.html
>
-- Unsubscribe: https://lists.haxx.se/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2022-12-22