Is the curl Important CVE-2023-38545 in SOCKS proxy hostname fixed in RHEL?

Solution Verified - Updated 17 May 2024

Environment

Red Hat Enterprise Linux 9, 8, 7, 6
curl package providing libcurl library

Issue

Is the curl Important CVE-2023-38545 in SOCKS proxy hostname fixed in RHEL?
Will RHEL update to libcurl 8.4.0 or later?
libcurl-8.4.0 not available in RedHat 8
curl security vulnerability in CURLPROXY_SOCKS5_HOSTNAME buffer length overflow

Resolution

RHEL 9

Upgrade to one of the following packages or later:

Red Hat Enterprise Linux release	Package	Errata
9.3	`curl-7.76.1-26.el9_3.2`	RHSA-2023:6745
9.2.z	`curl-7.76.1-23.el9_2.4`	RHSA-2023:5763
9.0.z	`curl-7.76.1-14.el9_0.9`	RHSA-2023:5700

All Earlier Versions - RHEL 8, RHEL 7, RHEL 6

RHEL 8 and earlier are not affected by this CVE.

The curl package and libcurl library shipped in these RHEL releases were never vulnerable to this CVE.

No package update is required to avoid this vulnerability.

Root Cause

This security vulnerability occurs due to a buffer overflow introduced in libcurl-7.69.0 with upstream patch:

Content from github.com is not included.socks: make the connect phase non-blocking

That code is not present in the libcurl package in RHEL 8 or earlier.

Those earlier RHEL releases are based on libcurl versions which are earlier than 7.69.0 and the above patch was never backported to those earlier RHEL releases.

The package versions available in each RHEL release are:

RHEL release	Based on `libcurl` version
RHEL 8	`libcurl-7.61.1`
RHEL 7	`libcurl-7.29.0`
RHEL 6	`libcurl-7.19.7`

Red Hat CVE database for this issue lists RHEL 8 and earlier as "Not affected":

<https://access.redhat.com/security/cve/cve-2023-38545>

Diagnostic Steps

View the patch which resolves this issue, from public CentOS Stream:

<Content from gitlab.com is not included.https://gitlab.com/redhat/centos-stream/rpms/curl/-/blob/c9s/0033-curl-7.76.1-CVE-2023-38545.patch>

View the source which introduced this issue:

<Content from github.com is not included.https://github.com/curl/curl/commit/4a4b63daaa01e>

View upstream curl inclusion of this patch:

$ git describe --contains 4a4b63daaa01e
curl-7_69_0~110

View available versions in RHEL releases:

# yum list available --showduplicates libcurl

SBR

Product(s)

Red Hat Enterprise Linux

Components

curl

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.