Candidate: CVE-2021-22922 CRD: 2021-07-21 PublicDate: 2021-08-05 21:15:00 UTC References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22922 https://curl.se/docs/CVE-2021-22922.html Description: When curl is instructed to download content using the metalink feature, thecontents is verified against a hash provided in the metalink XML file.The metalink XML file points out to the client how to get the same contentfrom a set of different URLs, potentially hosted by different servers and theclient can then download the file from one or several of them. In a serial orparallel manner.If one of the servers hosting the contents has been breached and the contentsof the specific file on that server is replaced with a modified payload, curlshould detect this when the hash of the file mismatches after a completeddownload. It should remove the contents and instead try getting the contentsfrom another URL. This is not done, and instead such a hash mismatch is onlymentioned in text and the potentially malicious content is kept in the file ondisk. Ubuntu-Description: Notes: mdeslaur> introduced in 7.27.0 mdeslaur> per upstream "curl has completely removed the metalink feature mdeslaur> as of 7.78.0. No fix for this flaw will be produced by the curl mdeslaur> project. The fix for earlier versions is to rebuild curl mdeslaur> with the metalink support switched off!" mdeslaur> Ubuntu builds curl with metalink support switched off already. Mitigation: Bugs: Priority: medium Discovered-by: Harry Sintonen Assigned-to: CVSS: nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N [6.5 MEDIUM] Patches_curl: upstream_curl: released (7.78.0) trusty_curl: ignored (out of standard support, was not-affected [code not compiled]) trusty/esm_curl: not-affected (code not compiled) xenial_curl: ignored (out of standard support, was not-affected [code not compiled]) esm-infra/xenial_curl: not-affected (code not compiled) bionic_curl: not-affected (code not compiled) focal_curl: not-affected (code not compiled) groovy_curl: not-affected (code not compiled) hirsute_curl: not-affected (code not compiled) impish_curl: not-affected (code not compiled) jammy_curl: not-affected (code not compiled) devel_curl: not-affected (code not compiled)