update: curl

[dongsupark]

Name: curl
CVEs: CVE-2023-32001
CVSSs: 5.0
Action Needed: update to >= 8.2.0

Summary:

VULNERABILITY

libcurl can be told to save cookie, HSTS and/or alt-svc data to files. When doing this, it called stat() followed by fopen() in a way that made it vulnerable to a TOCTOU race condition problem.

By exploiting this flaw, an attacker could trick the victim to create or overwrite protected files holding this data in ways it was not intended to.

INFO

The attacker needs permissions and rights enough to be able to create or rename directory entries in the directory the victim saves their files.

This race condition modifies the behavior of symbolic link files in affected components, they might be followed instead of being overwritten when the condition is met leading to undesired and potentially destructive behavior.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2023-32001 to this issue.

• CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition
• Severity: Medium

AFFECTED VERSIONS

• Affected versions: libcurl 7.84.0 to and including 8.1.2
• Not affected versions: libcurl < 7.84.0 and >= 8.2.0
• Introduced-in: curl/curl@20f9dd6bae50b722

See also https://seclists.org/oss-sec/2023/q3/41.

Gentoo: https://bugs.gentoo.org/910564