curl-8.9.0-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:14225-1 Final 1 1 2024-07-30T00:00:00Z current 2024-07-30T00:00:00Z 2024-07-30T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z curl-8.9.0-1.1 on GA media These are all security issues fixed in the curl-8.9.0-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-14225 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2024-6197/ SUSE CVE CVE-2024-6197 page https://www.suse.com/security/cve/CVE-2024-6874/ SUSE CVE CVE-2024-6874 page openSUSE Tumbleweed curl-8.9.0-1.1 curl-fish-completion-8.9.0-1.1 curl-zsh-completion-8.9.0-1.1 libcurl-devel-8.9.0-1.1 libcurl-devel-32bit-8.9.0-1.1 libcurl-devel-doc-8.9.0-1.1 libcurl4-8.9.0-1.1 libcurl4-32bit-8.9.0-1.1 curl-8.9.0-1.1 as a component of openSUSE Tumbleweed curl-fish-completion-8.9.0-1.1 as a component of openSUSE Tumbleweed curl-zsh-completion-8.9.0-1.1 as a component of openSUSE Tumbleweed libcurl-devel-8.9.0-1.1 as a component of openSUSE Tumbleweed libcurl-devel-32bit-8.9.0-1.1 as a component of openSUSE Tumbleweed libcurl-devel-doc-8.9.0-1.1 as a component of openSUSE Tumbleweed libcurl4-8.9.0-1.1 as a component of openSUSE Tumbleweed libcurl4-32bit-8.9.0-1.1 as a component of openSUSE Tumbleweed libcurl's ASN1 parser has this utf8asn1str() function used for parsing an ASN.1 UTF-8 string. Itcan detect an invalid field and return error. Unfortunately, when doing so it also invokes `free()` on a 4 byte localstack buffer. Most modern malloc implementations detect this error and immediately abort. Some however accept the input pointer and add that memory to its list of available chunks. This leads to the overwriting of nearby stack memory. The content of the overwrite is decided by the `free()` implementation; likely to be memory pointers and a set of flags. The most likely outcome of exploting this flaw is a crash, although it cannot be ruled out that more serious results can be had in special circumstances. CVE-2024-6197 openSUSE Tumbleweed:curl-8.9.0-1.1 openSUSE Tumbleweed:curl-fish-completion-8.9.0-1.1 openSUSE Tumbleweed:curl-zsh-completion-8.9.0-1.1 openSUSE Tumbleweed:libcurl-devel-32bit-8.9.0-1.1 openSUSE Tumbleweed:libcurl-devel-8.9.0-1.1 openSUSE Tumbleweed:libcurl-devel-doc-8.9.0-1.1 openSUSE Tumbleweed:libcurl4-32bit-8.9.0-1.1 openSUSE Tumbleweed:libcurl4-8.9.0-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-6197.html CVE-2024-6197 https://bugzilla.suse.com/1227888 SUSE Bug 1227888 libcurl's URL API function [curl_url_get()](https://curl.se/libcurl/c/curl_url_get.html) offers punycode conversions, to and from IDN. Asking to convert a name that is exactly 256 bytes, libcurl ends up reading outside of a stack based buffer when built to use the *macidn* IDN backend. The conversion function then fills up the provided buffer exactly - but does not null terminate the string. This flaw can lead to stack contents accidently getting returned as part of the converted string. CVE-2024-6874 openSUSE Tumbleweed:curl-8.9.0-1.1 openSUSE Tumbleweed:curl-fish-completion-8.9.0-1.1 openSUSE Tumbleweed:curl-zsh-completion-8.9.0-1.1 openSUSE Tumbleweed:libcurl-devel-32bit-8.9.0-1.1 openSUSE Tumbleweed:libcurl-devel-8.9.0-1.1 openSUSE Tumbleweed:libcurl-devel-doc-8.9.0-1.1 openSUSE Tumbleweed:libcurl4-32bit-8.9.0-1.1 openSUSE Tumbleweed:libcurl4-8.9.0-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-6874.html CVE-2024-6874 https://bugzilla.suse.com/1228260 SUSE Bug 1228260