CVE-2023-23916

NameCVE-2023-23916
DescriptionAn allocation of resources without limits or throttling vulnerability exists in curl <v7.88.0 based on the "chained" HTTP compression algorithms, meaning that a server response can be compressed multiple times and potentially with differentalgorithms. The number of acceptable "links" in this "decompression chain" wascapped, but the cap was implemented on a per-header basis allowing a maliciousserver to insert a virtually unlimited number of compression steps simply byusing many headers. The use of such a decompression chain could result in a "malloc bomb", making curl end up spending enormous amounts of allocated heap memory, or trying to and returning out of memory errors.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3341-1, DSA-5365-1
Debian Bugs1031371

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
curl (PTS)buster7.64.0-4+deb10u2vulnerable
buster (security)7.64.0-4+deb10u9fixed
bullseye (security), bullseye7.74.0-1.3+deb11u11fixed
bookworm, bookworm (security)7.88.1-10+deb12u5fixed
trixie8.5.0-2fixed
sid8.7.1-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
curlsourcebuster7.64.0-4+deb10u5DLA-3341-1
curlsourcebullseye7.74.0-1.3+deb11u7DSA-5365-1
curlsource(unstable)7.88.1-11031371

Notes

https://curl.se/docs/CVE-2023-23916.html
Introduced by: https://github.com/curl/curl/commit/dbcced8e32b50c068ac297106f0502ee200a1ebd (curl-7_57_0)
Fixed by: https://github.com/curl/curl/commit/119fb187192a9ea13dc90d9d20c215fc82799ab9 (curl-7_88_0)
Search for package or bug name: Reporting problems