CVE-2023-28320

2023-05-2621:15:15

Debian Security Bug Tracker

security-tracker.debian.org

curl

denial of service

vulnerability

host names

synchronous resolver

time-out

multi-threaded application

crash

unix

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

0.002 Low

EPSS

Percentile

54.0%

JSON

A denial of service vulnerability exists in curl <v8.1.0 in the way libcurl provides several different backends for resolving host names, selected at build time. If it is built to use the synchronous resolver, it allows name resolves to time-out slow operations using alarm() and siglongjmp(). When doing this, libcurl used a global buffer that was not mutex protected and a multi-threaded application might therefore crash or otherwise misbehave.

OSVersionArchitecturePackageVersionFilename
Debian12allcurl< 7.88.1-10curl_7.88.1-10_all.deb
Debian11allcurl<= 7.74.0-1.3+deb11u11curl_7.74.0-1.3+deb11u11_all.deb
Debian10allcurl<= 7.64.0-4+deb10u2curl_7.64.0-4+deb10u2_all.deb
Debian999allcurl< 7.88.1-10curl_7.88.1-10_all.deb
Debian13allcurl< 7.88.1-10curl_7.88.1-10_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	curl	< 7.88.1-10	curl_7.88.1-10_all.deb
Debian	11	all	curl	<= 7.74.0-1.3+deb11u11	curl_7.74.0-1.3+deb11u11_all.deb
Debian	10	all	curl	<= 7.64.0-4+deb10u2	curl_7.64.0-4+deb10u2_all.deb
Debian	999	all	curl	< 7.88.1-10	curl_7.88.1-10_all.deb
Debian	13	all	curl	< 7.88.1-10	curl_7.88.1-10_all.deb