Debian Bug report logs - #518423
[CVE-2009-0037] libcurl Arbitrary File Access

version graph

Package: libcurl3; Maintainer for libcurl3 is Alessandro Ghedini <ghedo@debian.org>; Source for libcurl3 is src:curl.

Reported by: Daniel Leidert <daniel.leidert@wgdd.de>

Date: Thu, 5 Mar 2009 23:57:01 UTC

Severity: critical

Tags: security

Found in version curl/7.18.2-8

Fixed in versions curl/7.18.2-8.1, curl/7.19.5-1

Done: Nico Golde <nion@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Domenico Andreoli <cavok@debian.org>:
Bug#518423; Package libcurl3. (Thu, 05 Mar 2009 23:57:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Daniel Leidert <daniel.leidert@wgdd.de>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Domenico Andreoli <cavok@debian.org>. (Thu, 05 Mar 2009 23:57:03 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Daniel Leidert <daniel.leidert@wgdd.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: [CVE-2009-0037] libcurl Arbitrary File Access
Date: Fri, 06 Mar 2009 00:55:01 +0100
Package: libcurl3
Version: 7.18.2-8
Severity: critical
Tags: security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

See http://curl.haxx.se/docs/adv_20090303.html. Ubuntu already fixed it,
so there is a patch available.

Regards, Daniel


- -- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (850, 'unstable'), (550, 'stable'), (500, 'oldstable'), (110, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-1-686 (SMP w/1 CPU core)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages libcurl3 depends on:
ii  ca-certificates       20081127           Common CA certificates
ii  libc6                 2.9-4              GNU C Library: Shared libraries
ii  libidn11              1.12-1             GNU Libidn library, implementation
ii  libkrb53              1.6.dfsg.4~beta1-9 Transitional library package/krb4 
ii  libldap-2.4-2         2.4.15-1           OpenLDAP libraries
ii  libssh2-1             1.0-1              SSH2 client-side library
ii  libssl0.9.8           0.9.8g-15          SSL shared libraries
ii  zlib1g                1:1.2.3.3.dfsg-13  compression library - runtime

libcurl3 recommends no packages.

libcurl3 suggests no packages.

- -- no debconf information

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkmwZlEACgkQm0bx+wiPa4xz1ACeNEM3PVCMa2UXD5HzJ7kiuYJD
e7QAnR7nBm77AsE7H3La/YXUwe++PMti
=Gv74
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Domenico Andreoli <cavok@debian.org>:
Bug#518423; Package libcurl3. (Wed, 11 Mar 2009 14:51:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Domenico Andreoli <cavok@debian.org>. (Wed, 11 Mar 2009 14:51:02 GMT) Full text and rfc822 format available.

Message #10 received at 518423@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 518423@bugs.debian.org
Subject: intent to NMU
Date: Wed, 11 Mar 2009 15:49:45 +0100
[Message part 1 (text/plain, inline)]
Hi,
I intent to upload a 0-day NMU for this in order to get this 
fixed synchronized with the oldstable and stable DSAs.
A debdiff is attached and archived on:
http://people.debian.org/~nion/nmu-diff/curl-7.18.2-8_7.18.2-8.1.patch

Cheers
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[curl-7.18.2-8_7.18.2-8.1.patch (text/x-diff, attachment)]
[Message part 3 (application/pgp-signature, inline)]

Reply sent to Nico Golde <nion@debian.org>:
You have taken responsibility. (Wed, 11 Mar 2009 15:42:13 GMT) Full text and rfc822 format available.

Notification sent to Daniel Leidert <daniel.leidert@wgdd.de>:
Bug acknowledged by developer. (Wed, 11 Mar 2009 15:42:13 GMT) Full text and rfc822 format available.

Message #15 received at 518423-close@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 518423-close@bugs.debian.org
Subject: Bug#518423: fixed in curl 7.18.2-8.1
Date: Wed, 11 Mar 2009 15:17:04 +0000
Source: curl
Source-Version: 7.18.2-8.1

We believe that the bug you reported is fixed in the latest version of
curl, which is due to be installed in the Debian FTP archive:

curl_7.18.2-8.1.diff.gz
  to pool/main/c/curl/curl_7.18.2-8.1.diff.gz
curl_7.18.2-8.1.dsc
  to pool/main/c/curl/curl_7.18.2-8.1.dsc
curl_7.18.2-8.1_amd64.deb
  to pool/main/c/curl/curl_7.18.2-8.1_amd64.deb
libcurl3-dbg_7.18.2-8.1_amd64.deb
  to pool/main/c/curl/libcurl3-dbg_7.18.2-8.1_amd64.deb
libcurl3-gnutls_7.18.2-8.1_amd64.deb
  to pool/main/c/curl/libcurl3-gnutls_7.18.2-8.1_amd64.deb
libcurl3_7.18.2-8.1_amd64.deb
  to pool/main/c/curl/libcurl3_7.18.2-8.1_amd64.deb
libcurl4-gnutls-dev_7.18.2-8.1_amd64.deb
  to pool/main/c/curl/libcurl4-gnutls-dev_7.18.2-8.1_amd64.deb
libcurl4-openssl-dev_7.18.2-8.1_amd64.deb
  to pool/main/c/curl/libcurl4-openssl-dev_7.18.2-8.1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 518423@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated curl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 11 Mar 2009 15:33:08 +0100
Source: curl
Binary: curl libcurl3 libcurl3-gnutls libcurl4-openssl-dev libcurl4-gnutls-dev libcurl3-dbg
Architecture: source amd64
Version: 7.18.2-8.1
Distribution: unstable
Urgency: high
Maintainer: Domenico Andreoli <cavok@debian.org>
Changed-By: Nico Golde <nion@debian.org>
Description: 
 curl       - Get a file from an HTTP, HTTPS or FTP server
 libcurl3   - Multi-protocol file transfer library (OpenSSL)
 libcurl3-dbg - libcurl compiled with debug symbols
 libcurl3-gnutls - Multi-protocol file transfer library (GnuTLS)
 libcurl4-gnutls-dev - Development files and documentation for libcurl (GnuTLS)
 libcurl4-openssl-dev - Development files and documentation for libcurl (OpenSSL)
Closes: 518423
Changes: 
 curl (7.18.2-8.1) unstable; urgency=high
 .
   * Non-maintainer upload by the security team.
   * Include upstream patch to prevent overwriting and reading arbitrary
     local files or command execution via malicious redirects depending on
     the setup curl is used in.
     NOTE: This update introduces a new option called CURLOPT_REDIR_PROTOCOLS
     which includes the protocols curl will follow on redirects, scp and file
     are not included by default (CVE-2009-0037; Closes: #518423).
Checksums-Sha1: 
 5d86f1c5a62a9dbf0a6d5dfd4b1c1b2d1ef7d456 1402 curl_7.18.2-8.1.dsc
 c08b70a2a04bffdb5f7c9693a7e96b0c0b4225ee 27463 curl_7.18.2-8.1.diff.gz
 201e466faddd0b2d1ddfea8dbdcf07f8815df266 209292 curl_7.18.2-8.1_amd64.deb
 168e65729c0cbfe9ce490cac00039d01abebfe9f 230774 libcurl3_7.18.2-8.1_amd64.deb
 7363c7adf13e8e56dfd34701fc346825eb03361b 214634 libcurl3-gnutls_7.18.2-8.1_amd64.deb
 7c1f31999070b009ce1b2c0621031987470eef8d 951892 libcurl4-openssl-dev_7.18.2-8.1_amd64.deb
 063cc9300736d13a8e0766638c779ebb676c7952 931676 libcurl4-gnutls-dev_7.18.2-8.1_amd64.deb
 8499ed1e212a0196660bde6905b0a4b877a7b099 1180246 libcurl3-dbg_7.18.2-8.1_amd64.deb
Checksums-Sha256: 
 2d257683cc160bbbc3fd357852ce74d6f14e459a390fca1cf9e6a88c411c662d 1402 curl_7.18.2-8.1.dsc
 d7bb99e6a2334519a0db16fa11a03af98a8ed5649c805eeadcfbce2cc51588f7 27463 curl_7.18.2-8.1.diff.gz
 833218d98cc56e476b654be3858ee911f91247a284a65fb0f099ac899cd8ed77 209292 curl_7.18.2-8.1_amd64.deb
 c0fe7861386408e28d9e038c2b10dd07f84b387cf659879dc94f2eb9dc2690bd 230774 libcurl3_7.18.2-8.1_amd64.deb
 8d21a992290a5aa9e3fd03919dc37a52fd67fe6f2c3a104e8e48a5c508590892 214634 libcurl3-gnutls_7.18.2-8.1_amd64.deb
 119e00b147abcb74738f29ca98b37578ef32102bfc5f41d4e84f8a7cc406929b 951892 libcurl4-openssl-dev_7.18.2-8.1_amd64.deb
 8b4a0d71b8e43bd867c02ab4dce57f27608a59a7be610a34288a39b0cb99de9d 931676 libcurl4-gnutls-dev_7.18.2-8.1_amd64.deb
 64d30157ad6f8d0e3cc70462a002ee60bf7a0cd89a5383812005cc387790aabe 1180246 libcurl3-dbg_7.18.2-8.1_amd64.deb
Files: 
 b74779128eabfe37571c5112ce10e91b 1402 web optional curl_7.18.2-8.1.dsc
 0a643b8439c6d1fa7b91c0b27da5d781 27463 web optional curl_7.18.2-8.1.diff.gz
 736a5cdfbebef5180d02a4f47fe6f66a 209292 web optional curl_7.18.2-8.1_amd64.deb
 11c1a30604adef38c161df23ecae82a8 230774 libs optional libcurl3_7.18.2-8.1_amd64.deb
 debce426c791274182376458f48a1615 214634 libs optional libcurl3-gnutls_7.18.2-8.1_amd64.deb
 a33a48f2fbf9c1bc51303e0b4e25c0e3 951892 libdevel optional libcurl4-openssl-dev_7.18.2-8.1_amd64.deb
 0a5d0758b31a6dfffee57e59e16b95d7 931676 libdevel optional libcurl4-gnutls-dev_7.18.2-8.1_amd64.deb
 286f14c07e59801ebb19d0b89a0f74c1 1180246 libdevel extra libcurl3-dbg_7.18.2-8.1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkm30iAACgkQHYflSXNkfP/CRgCfeExSasg9ZuGGYbEGTzGuL595
6MYAn1IIlBuFYc2cWFnBz0cbqFCmJpbY
=qld8
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Domenico Andreoli <cavok@debian.org>:
Bug#518423; Package libcurl3. (Sat, 06 Jun 2009 02:33:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ben Finney <ben+debian@benfinney.id.au>:
Extra info received and forwarded to list. Copy sent to Domenico Andreoli <cavok@debian.org>. (Sat, 06 Jun 2009 02:33:05 GMT) Full text and rfc822 format available.

Message #20 received at 518423@bugs.debian.org (full text, mbox):

From: Ben Finney <ben+debian@benfinney.id.au>
To: 518423@bugs.debian.org
Subject: Re: Bug#518423: fixed in curl 7.18.2-8.1
Date: Sat, 6 Jun 2009 12:32:21 +1000
[Message part 1 (text/plain, inline)]
On 11-Mar-2009, Nico Golde wrote:
> Source: curl
> Source-Version: 7.18.2-8.1
> …
>
> Closes: 518423
> Changes: 
>  curl (7.18.2-8.1) unstable; urgency=high
>  .
>    * Non-maintainer upload by the security team.
>    * Include upstream patch to prevent overwriting and reading arbitrary
>      local files or command execution via malicious redirects depending on
>      the setup curl is used in.
>      NOTE: This update introduces a new option called CURLOPT_REDIR_PROTOCOLS
>      which includes the protocols curl will follow on redirects, scp and file
>      are not included by default (CVE-2009-0037; Closes: #518423).

This bug fix has not yet made it into Sid, which is blocking the
progression of ‘pycurl’ into Squeeze since it has a dependency on a
newer version of ‘curl’.

What is the prognosis for getting this fix into Squeeze?

-- 
 \       “Facts are meaningless. You could use facts to prove anything |
  `\                that's even remotely true!” —Homer, _The Simpsons_ |
_o__)                                                                  |
Ben Finney <ben@benfinney.id.au>
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Domenico Andreoli <cavok@debian.org>:
Bug#518423; Package libcurl3. (Sat, 13 Jun 2009 13:57:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Andreas Schuldei <andreas@schuldei.org>:
Extra info received and forwarded to list. Copy sent to Domenico Andreoli <cavok@debian.org>. (Sat, 13 Jun 2009 13:57:02 GMT) Full text and rfc822 format available.

Message #25 received at 518423@bugs.debian.org (full text, mbox):

From: Andreas Schuldei <andreas@schuldei.org>
To: Ben Finney <ben+debian@benfinney.id.au>, BenFinney@schuldei.org, 518423@bugs.debian.org
Subject: Re: Bug#518423: fixed in curl 7.18.2-8.1
Date: Sat, 13 Jun 2009 15:54:30 +0200
fixed 518423 7.19.5-1

* Ben Finney (ben+debian@benfinney.id.au) [090606 04:34]:
> On 11-Mar-2009, Nico Golde wrote:
> > Source: curl
> > Source-Version: 7.18.2-8.1
> > …
> >
> > Closes: 518423
> > Changes: 
> >  curl (7.18.2-8.1) unstable; urgency=high
> >  .
> >    * Non-maintainer upload by the security team.
> >    * Include upstream patch to prevent overwriting and reading arbitrary
> >      local files or command execution via malicious redirects depending on
> >      the setup curl is used in.
> >      NOTE: This update introduces a new option called CURLOPT_REDIR_PROTOCOLS
> >      which includes the protocols curl will follow on redirects, scp and file
> >      are not included by default (CVE-2009-0037; Closes: #518423).
> 
> This bug fix has not yet made it into Sid, which is blocking the
> progression of ‘pycurl’ into Squeeze since it has a dependency on a
> newer version of ‘curl’.
> 
> What is the prognosis for getting this fix into Squeeze?
> 




Information forwarded to debian-bugs-dist@lists.debian.org, Domenico Andreoli <cavok@debian.org>:
Bug#518423; Package libcurl3. (Sun, 21 Jun 2009 03:39:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ben Finney <ben+debian@benfinney.id.au>:
Extra info received and forwarded to list. Copy sent to Domenico Andreoli <cavok@debian.org>. (Sun, 21 Jun 2009 03:39:02 GMT) Full text and rfc822 format available.

Message #30 received at 518423@bugs.debian.org (full text, mbox):

From: Ben Finney <ben+debian@benfinney.id.au>
To: Andreas Schuldei <andreas@schuldei.org>
Cc: 518423@bugs.debian.org
Subject: Re: Bug#518423: fixed in curl 7.18.2-8.1
Date: Sun, 21 Jun 2009 13:38:15 +1000
[Message part 1 (text/plain, inline)]
On 13-Jun-2009, Andreas Schuldei wrote:
> fixed 518423 7.19.5-1

Did you intend for this to go to the Debian BTS control bot? It's only
gone to the bug report and the reporter.

-- 
 \      “It's a small world, but I wouldn't want to have to paint it.” |
  `\                                                    —Steven Wright |
_o__)                                                                  |
Ben Finney <ben@benfinney.id.au>
[signature.asc (application/pgp-signature, inline)]

Bug marked as fixed in version 7.19.5-1. Request was from Andreas Schuldei <andreas@schuldei.org> to control@bugs.debian.org. (Fri, 10 Jul 2009 22:48:03 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 07 Feb 2011 07:46:52 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 23 17:59:14 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.