curl vulnerability for bookworn
andreibodi22 opened this issue · comments
As specified in the https://curl.se/docs/CVE-2023-38545.html
AFFECTED VERSIONS
Affected versions: libcurl 7.69.0 to and including 8.3.0
Not affected versions: libcurl < 7.69.0 and >= 8.4.0
Introduced-in: curl/curl@4a4b63daaa
libcurl library affected, libcurl version => 7.9.1 present on them https://curl.se/docs/CVE-2023-38546.html
AFFECTED VERSIONS
Affected versions: libcurl 7.9.1 to and including 8.3.0
Not affected versions: libcurl < 7.9.1 and >= 8.4.0
Introduced-in: curl/curl@74d5a6fb3b9a96d9f
his vulnerability in curl, involves a heap-based buffer overflow during the SOCKS5 proxy handshake. The core issue arises when curl is directed to send the hostname to a SOCKS5 proxy for address resolution. This hostname can be a maximum of 255 bytes. If it's longer, curl is supposed to resolve the name locally, passing only the resolved address to the proxy. However, due to a programming error, during a slow SOCKS5 handshake, curl might mistakenly copy an excessively long hostname into the target buffer, instead of just the resolved address.
In terms of implementation, the curl library is referred to as libcurl, and the command-line tool is known as the curl tool. The hostname in question comes from the URL curl processes. The relevant buffer is a heap-based download buffer in libcurl, initially 16kB in size but adjustable. The curl tool sets this buffer to 102400 bytes by default.
libcurl accepts URLs with hostnames up to 65535 bytes. If a hostname longer than the buffer size is used, it leads to an overflow, potentially exploitable in certain scenarios like a slow SOCKS5 handshake combined with a specially crafted URL.
This vulnerability, assigned CVE-2023-38545 by the CVE project and classified as CWE-122 (Heap-based Buffer Overflow), is of high severity. It mainly affects applications not setting or setting CURLOPT_BUFFERSIZE to less than 65541 bytes. The issue was introduced when the SOCKS5 handshake code shifted from a blocking function to a non-blocking state machine.
These were fixed in Debian Bookworm by version 7.88.1-10+deb12u4 (since Debian and most Linux distributions backport CVE fixes for stability).
- https://security-tracker.debian.org/tracker/CVE-2023-38545
- https://security-tracker.debian.org/tracker/CVE-2023-38546
This is the version that is installed:
$ docker run -it --rm python:bookworm bash
Unable to find image 'python:bookworm' locally
bookworm: Pulling from library/python
90e5e7d8b87a: Already exists
27e1a8ca91d3: Pull complete
d3a767d1d12e: Pull complete
711be5dc5044: Pull complete
48b2d58a56e9: Pull complete
b61fb8c5b702: Pull complete
67ddeb5b15df: Pull complete
7da1b82bcb72: Pull complete
Digest: sha256:5eba34eb667213abb09a4c470365180d5706076f76945e49b963ac15d428a684
Status: Downloaded newer image for python:bookworm
root@f41ee4163bc8:/# apt list --installed curl
Listing... Done
curl/now 7.88.1-10+deb12u4 amd64 [installed,local]