En

curl官网安全更新(2021-07-21)

来源:curl官网 发布日期:2021-07-21 阅读次数:7075 评论:0

基本信息

发布日期:2021-07-21(官方当地时间)

更新类型:安全更新

更新版本:未知

感知时间:2021-07-21 15:06:19

风险等级:中危

情报贡献:TSRC

更新标题

CURLOPT_SSLCERT mixup with Secure Transport

更新详情

curl / Docs / Security Problems / CURLOPT_SSLCERT mixup with Secure TransportRelated:
Bug Bounty
Changelog
Donate
FAQ
Security Problems
Security Process
Vulnerabilities TableCURLOPT_SSLCERT mixup with Secure Transport
Project curl Security Advisory, July 21st 2021 - Permalink
VULNERABILITY
libcurl-using applications can ask for a specific client certificate to be used in a transfer. This is done with the CURLOPT_SSLCERT option (--cert with the command line tool).
When libcurl is built to use the macOS native TLS library Secure Transport, an application can ask for the client certificate by name or with a file name - using the same option. If the name exists as a file, it will be used instead of by name.
If the appliction runs with a current working directory that is writable by other users (like /tmp), a malicious user can create a file name with the same name as the app wants to use by name, and thereby trick the application to use the file based cert instead of the one referred to by name making libcurl send the wrong client certificate in the TLS connection handshake.
We are not aware of any exploit of this flaw.
INFO
This flaw has existed in curl since commit d2fe616e7e in libcurl 7.33.0, released on October 14, 2013.
The fixed libcurl version will now instead first check for a certificate in the key chain using the specified name and only if one does not exist, it will check for a file name.
The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2021-22926 to this issue.
CWE-295: Improper Certificate Validation
Severity: Medium
AFFECTED VERSIONS
Using libcurl on macOS built to use Secure Transport.Affected versions: curl 7.33.0 to and including 7.77.0
Not affected versions: curl < 7.33.0 and curl >= 7.78.0Also note that libcurl is used by many applications, and not always advertised as such.
THE SOLUTION
File names used in this option must contain at least one slash.
A fix for CVE-2021-22926
RECOMMENDATIONS
A - Upgrade curl to version 7.78.0
B - Apply the patch to your local version
C - Do now run your application in directories where other users can inject files.
TIMELINE
This issue was reported to the curl project on June 15, 2021.
This advisory was posted on July 21, 2021.
CREDITS
This issue was reported by Harry Sintonen. Patched by Daniel Stenberg.
Thanks a lot!

软件描述

cURL是一个利用URL语法在命令行下工作的文件传输工具,1997年首次发行。它支持文件上传和下载,所以是综合传输工具,但按传统,习惯称cURL为下载工具

CVE编号

TSRC分析

暂无

业界资讯

暂无

评论

提交评论 您输入的评论有误,请重新输入