摘要:
libcurl supports sharing HSTS data between separate handles . This sharing was introduced without considerations for do this sharing across separate threads but there was no indication of this fact in the documentation. Due to missing mutexes or thread locks, two threads sharing the same HSTS data could end up doing a double-free or use-after-free.INFO----This feature was not implemented to support sharing between threads. That is still left for future improvements. The fix for this issue is therefore a documentation update clarifying that sharing HSTS between threads is not expected to work.
安全等级: Low
公告ID: KylinSec-SA-2023-1225
发布日期: 2023年3月25日
关联CVE: CVE-2023-27537
libcurl supports sharing HSTS data between separate handles . This sharing was introduced without considerations for do this sharing across separate threads but there was no indication of this fact in the documentation. Due to missing mutexes or thread locks, two threads sharing the same HSTS data could end up doing a double-free or use-after-free.INFO----This feature was not implemented to support sharing between threads. That is still left for future improvements. The fix for this issue is therefore a documentation update clarifying that sharing HSTS between threads is not expected to work.
| cve名称 | 产品 | 组件 | 是否受影响 |
|---|---|---|---|
| CVE-2023-27537 | KY3.4-4A | curl | Unaffected |
| CVE-2023-27537 | KY3.4-5 | curl | Unaffected |
| CVE-2023-27537 | KY3.5.1 | curl | Unaffected |
| CVE-2023-27537 | KY3.5.2 | curl | Unaffected |
