Project curl Security Advisory, June 27th 2022 -Permalink
A malicious server can serve excessive amounts ofSet-Cookie: headers in a HTTP response to curl and curlstores all of them. A sufficiently large amount of (big) cookies makesubsequent HTTP requests to this, or other servers to which the cookiesmatch, create requests that become larger than the threshold that curluses internally to avoid sending crazy large requests (1048576 bytes)and instead returns an error.
This denial state might remain for as long as the same cookies arekept, match and have not expired. Due to cookie matching rules, a serveronfoo.example.com can set cookies that also would matchforbar.example.com, making it it possible for a "sisterserver" to effectively cause a denial of service for a sibling site onthe same second level domain using this method.
CVE-2022-32205 was introduced incommited35d6590e72c23c, shipped in curl7.71.0 with the introduction ofthe "dynbuf" internally. Before this change, curl had no limit in howlarge HTTP request it could generate.
CWE-770: Allocation of Resources Without Limits or Throttling
Severity: Low
libcurl is used by many applications, but not always advertised assuch!
We introduce several new limits and thresholds for cookies:
Send no more than 150 cookies per request
Cap the max length used for an outgoingCookie:header to 8K
Cap the max number of acceptedSet-Cookie: headerfields to 50
Fixed-in:https://github.com/curl/curl/commit/48d7064a49148f0394
A - Upgrade curl to version7.84.0
B - Apply the patch to your local version
C - Do not use cookies
This issue was reported to the curl project on May 13, 2022. Wecontacted distros@openwall on June 20.
libcurl7.84.0 was released on June 27 2022, coordinated with thepublication of this advisory.
Thanks a lot!