CVE-2021-22925: Buffer Overflow

cURL libcurl could allow a remote attacker to obtain sensitive information, caused by a flaw in the option parser for sending NEWENV variables. By sniffing the network traffic, an attacker could exploit this vulnerability to obtain TELNET stack contents, and use this information to launch further attacks against the affected system.

— IBM

curl supports the -t command line option, known as CURLOPTTELNETOPTIONSin libcurl. This rarely used option is used to send variable=content pairs toTELNET servers.Due to flaw in the option parser for sending NEWENV variables, libcurlcould be made to pass on uninitialized data from a stack based buffer to theserver. Therefore potentially revealing sensitive internal information to theserver using a clear-text network protocol.This could happen because curl did not call and use sscanf() correctly whenparsing the string provided by the application.

curl. A buffer overflow was addressed with improved input validation.

CVE-2021-22898: TELNET stack contents disclosure (see bug 1964887) issue was recently reported for curl and it was addressed in curl 7.77.0:

https://curl.se/docs/CVE-2021-22898.html https://github.com/curl/curl/commit/39ce47f219b09c380b81f89fe54ac586c8db6bde https://hackerone.com/reports/1176461

However, the fix applied is not correct and does not completely address the issue. It helps in cases when long environment variable name is used ('a'256 + ',b'), but not when the name is short and only the value is long ('a,' + 'b'256, which is the example mentioned in the curl project advisory).

Long variable values still trigger memory disclosure as described in the original report.

This issue was reported upstream via:

https://hackerone.com/reports/1223882

— Red Hat