Medium: curl

Issue Overview:

A vulnerability was found in curl. The issue occurs when doing HTTP(S) transfers, where curl might erroneously use the read callback (CURLOPT_READFUNCTION) to ask for data to send, even when the CURLOPT_POSTFIELDS option has been set if it previously used the same handle to issue a PUT request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the subsequent POST request. (CVE-2022-32221)

A vulnerability was found in curl. The issue occurs when curl is told to parse a .netrc file for credentials. If that file ends in a line with consecutive non-white space letters and no newline, curl could read past the end of the stack-based buffer, and if the read works, it can write a zero byte beyond its boundary. This issue, in most cases, causes a segfault or similar problem. A denial of service can occur if a malicious user can provide a custom netrc file to an application or otherwise affect its contents. (CVE-2022-35260)

A vulnerability was found in curl. The issue occurs if curl is told to use an HTTP proxy for a transfer with a non-HTTP(S) URL. It sets up the connection to the remote server by issuing a CONNECT request to the proxy and then tunnels the rest of the protocol through. An HTTP proxy might refuse this request (HTTP proxies often only allow outgoing connections to specific port numbers, like 443 for HTTPS) and instead return a non-200 response code to the client. Due to flaws in the error/cleanup handling, this could trigger a double-free issue in curl if using one of the following schemes in the URL for the transfer: dict, gopher, gophers, ldap, ldaps, rtmp, rtmps, telnet. (CVE-2022-42915)

A vulnerability was found in curl. The issue occurs because curl’s HSTS check can be bypassed to trick it to keep using HTTP. Using its HSTS support, it can instruct curl to use HTTPS directly instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. This mechanism can be bypassed if the hostname in the given URL uses IDN characters that get replaced with ASCII counterparts as part of the IDN conversion. Like using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop (U+002E) .. (CVE-2022-42916)

Affected Packages:

curl

Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.

Issue Correction:
Run yum update curl to update your system.

New Packages:

aarch64:  
    curl-7.79.1-7.amzn2.0.1.aarch64  
    libcurl-7.79.1-7.amzn2.0.1.aarch64  
    libcurl-devel-7.79.1-7.amzn2.0.1.aarch64  
    curl-debuginfo-7.79.1-7.amzn2.0.1.aarch64  
  
i686:  
    curl-7.79.1-7.amzn2.0.1.i686  
    libcurl-7.79.1-7.amzn2.0.1.i686  
    libcurl-devel-7.79.1-7.amzn2.0.1.i686  
    curl-debuginfo-7.79.1-7.amzn2.0.1.i686  
  
src:  
    curl-7.79.1-7.amzn2.0.1.src  
  
x86_64:  
    curl-7.79.1-7.amzn2.0.1.x86_64  
    libcurl-7.79.1-7.amzn2.0.1.x86_64  
    libcurl-devel-7.79.1-7.amzn2.0.1.x86_64  
    curl-debuginfo-7.79.1-7.amzn2.0.1.x86_64  

Additional References

Red Hat: CVE-2022-32221, CVE-2022-35260, CVE-2022-42915, CVE-2022-42916

Mitre: CVE-2022-32221, CVE-2022-35260, CVE-2022-42915, CVE-2022-42916