| Name | CVE-2021-22925 |
| Description | curl supports the `-t` command line option, known as `CURLOPT_TELNETOPTIONS`in libcurl. This rarely used option is used to send variable=content pairs toTELNET servers.Due to flaw in the option parser for sending `NEW_ENV` variables, libcurlcould be made to pass on uninitialized data from a stack based buffer to theserver. Therefore potentially revealing sensitive internal information to theserver using a clear-text network protocol.This could happen because curl did not call and use sscanf() correctly whenparsing the string provided by the application. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| curl (PTS) | bullseye | 7.74.0-1.3+deb11u13 | fixed |
| bullseye (security) | 7.74.0-1.3+deb11u15 | fixed |
| bookworm | 7.88.1-10+deb12u12 | fixed |
| bookworm (security) | 7.88.1-10+deb12u5 | fixed |
| trixie, sid | 8.14.1-2 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|
| curl | source | (unstable) | (not affected) | | | |
Notes
- curl <not-affected> (Incomplete fix for CVE-2021-22898 not applied)
https://curl.se/docs/CVE-2021-22925.html
Introduced by: https://github.com/curl/curl/commit/a1d6ad26100bc493c7b04f1301b1634b7f5aa8b4 (curl-7_7_alpha2)
Fixed by: https://github.com/curl/curl/commit/894f6ec730597eb243618d33cc84d71add8d6a8a (curl-7_78_0)
https://www.openwall.com/lists/oss-security/2021/07/21/4
CVE is assigned because previous attempt to address CVE-2021-22898 resulted to be
insufficient and the security vulnerability remained.