Project curl Security Advisory, July 21st 2021 -Permalink
curl supports the-t command line option, known asCURLOPT_TELNETOPTIONS in libcurl. This rarely used optionis used to send variable=content pairs to TELNET servers.
Due to flaw in the option parser for sendingNEW_ENVvariables, libcurl could be made to pass on uninitialized data from astack based buffer to the server. Therefore potentially revealingsensitive internal information to the server using a clear-text networkprotocol.
This could happen because curl did not call and usesscanf() correctly when parsing the string provided by theapplication.
The previous curl security vulnerabilityCVE-2021-22898 isalmost identical to this one but the fix was insufficient so thissecurity vulnerability remained.
There was a previous attempt to fix this issue in curl7.77.0 but itwas not done proper.
The Common Vulnerabilities and Exposures (CVE) project has assignedthe name CVE-2021-22925 to this issue.
CWE-457: Use of Uninitialized Variable
Severity: Medium
libcurl is used by many applications, but not always advertised assuch.
Usesscanf() properly and only use properly filled-inbuffers.
A - Upgrade curl to version7.78.0
B - Apply the patch to your local version
C - Avoid usingCURLOPT_TELNETOPTIONS
This issue was reported to the curl project on June 11, 2021.
This advisory was posted on July 21, 2021.
Thanks a lot!