Debian Bug report logs -
#848958
curl: CVE-2016-9586: printf floating point buffer overflow
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 21 Dec 2016 07:48:01 UTC
Severity: important
Tags: fixed-upstream, patch, security, upstream
Found in versions curl/7.51.0-1, curl/7.38.0-4
Fixed in version curl/7.52.1-1
Done: Alessandro Ghedini <ghedo@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Alessandro Ghedini <ghedo@debian.org>:
Bug#848958; Package src:curl.
(Wed, 21 Dec 2016 07:48:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Alessandro Ghedini <ghedo@debian.org>.
(Wed, 21 Dec 2016 07:48:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: curl
Version: 7.51.0-1
Severity: important
Tags: security patch upstream fixed-upstream
Control: found -1 7.38.0-4
Hi,
the following vulnerability was published for curl.
CVE-2016-9586[0]:
printf floating point buffer overflow
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-9586
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9586
[1] https://curl.haxx.se/docs/adv_20161221A.html
[2] https://github.com/curl/curl/commit/3ab3c16db6a5674f53cf23d56512a405fde0b2c9
Regards,
Salvatore
Marked as found in versions curl/7.38.0-4.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Wed, 21 Dec 2016 07:48:04 GMT) (full text, mbox, link).
Reply sent
to Alessandro Ghedini <ghedo@debian.org>:
You have taken responsibility.
(Thu, 12 Jan 2017 23:09:24 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Thu, 12 Jan 2017 23:09:24 GMT) (full text, mbox, link).
Message #12 received at 848958-close@bugs.debian.org (full text, mbox, reply):
Source: curl
Source-Version: 7.52.1-1
We believe that the bug you reported is fixed in the latest version of
curl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 848958@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Alessandro Ghedini <ghedo@debian.org> (supplier of updated curl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 12 Jan 2017 22:02:44 +0000
Source: curl
Binary: curl libcurl3 libcurl3-gnutls libcurl3-nss libcurl4-openssl-dev libcurl4-gnutls-dev libcurl4-nss-dev libcurl3-dbg libcurl4-doc
Architecture: source amd64 all
Version: 7.52.1-1
Distribution: unstable
Urgency: medium
Maintainer: Alessandro Ghedini <ghedo@debian.org>
Changed-By: Alessandro Ghedini <ghedo@debian.org>
Description:
curl - command line tool for transferring data with URL syntax
libcurl3 - easy-to-use client-side URL transfer library (OpenSSL flavour)
libcurl3-dbg - debugging symbols for libcurl (OpenSSL, GnuTLS and NSS flavours)
libcurl3-gnutls - easy-to-use client-side URL transfer library (GnuTLS flavour)
libcurl3-nss - easy-to-use client-side URL transfer library (NSS flavour)
libcurl4-doc - documentation for libcurl
libcurl4-gnutls-dev - development files and documentation for libcurl (GnuTLS flavour)
libcurl4-nss-dev - development files and documentation for libcurl (NSS flavour)
libcurl4-openssl-dev - development files and documentation for libcurl (OpenSSL flavour)
Closes: 731998 844018 846360 847958 848958 849539 850880
Changes:
curl (7.52.1-1) unstable; urgency=medium
.
* New upstream release
- Fix printf floating point buffer overflow as per CVE-2016-9586
(Closes: #848958)
* B-D on "libssl1.0-dev | libssl-dev (<< 1.1)" (Closes: #850880, #844018)
* Another attempt at making -dev packages multi-arch.
Thanks to Benjamin Moody for the patches. (Closes: #731998, #846360)
* Enable support for PSL (Closes: #847958)
* Re-enable support for IDN (Closes: #849539)
* Drop 10_disable-network-tests.patch.
It didn't really work, and the issue is not urgent.
* Switch curl binary back to libcurl3/OpenSSL.
While the GnuTLS flavour mostly worked fine, there are a bunch of features
that are not implemented.
Checksums-Sha1:
fb2b4903ed4fc7eda2802fac8afc94b3d85975d7 2765 curl_7.52.1-1.dsc
73097952ada80fbaff924c706ba57d1f77c38d00 3504621 curl_7.52.1.orig.tar.gz
154234bbe12dbaa80de6b45affbc7160aa996343 27964 curl_7.52.1-1.debian.tar.xz
7f1c467cdaca6fec6ba838309894a38539317279 131900 curl-dbgsym_7.52.1-1_amd64.deb
f2ac99b608839c8007dab8339846b3e98c803642 9281 curl_7.52.1-1_amd64.buildinfo
d014eea5a8d7dd850ca89e40e653b6d3b5121557 226802 curl_7.52.1-1_amd64.deb
211b0846983053e9e2f78b2a9eb6f589074c817a 5002904 libcurl3-dbg_7.52.1-1_amd64.deb
44d42c2115a020f59fa7e1df09caaf6c2cc3535f 288408 libcurl3-gnutls_7.52.1-1_amd64.deb
77c76649db965c984e649b02d254fd650815d107 294162 libcurl3-nss_7.52.1-1_amd64.deb
5698eafe12bb9e248b227429feee93254ae53a9d 290154 libcurl3_7.52.1-1_amd64.deb
7fdabfa951d26b9123529b9ab88fe370814bdd67 827038 libcurl4-doc_7.52.1-1_all.deb
a1b5f01dd1e506b5de9945a904ecebc0d8b78892 371308 libcurl4-gnutls-dev_7.52.1-1_amd64.deb
c8e41cabb2c65bb5e00362ff84cab62194509b37 376806 libcurl4-nss-dev_7.52.1-1_amd64.deb
ec6effc491ca1e28331d6571da08dedb4c731598 373002 libcurl4-openssl-dev_7.52.1-1_amd64.deb
Checksums-Sha256:
bc82de7b02127add254a39b767b9fd378add339b62e0c79d16d9d2f273fad378 2765 curl_7.52.1-1.dsc
a8984e8b20880b621f61a62d95ff3c0763a3152093a9f9ce4287cfd614add6ae 3504621 curl_7.52.1.orig.tar.gz
c2d962814c274e1ec5c962a3346631ec93a18fcb2da9438fdd44b7e8deda4e1a 27964 curl_7.52.1-1.debian.tar.xz
799e27cdbde395c68548fd2b1f4b96adeb79cc96c40772829cece38612a8bca2 131900 curl-dbgsym_7.52.1-1_amd64.deb
335c26a3dc8086bfced9dc9127eb7cd9dd675df859e2e05c6784a61c75c0503c 9281 curl_7.52.1-1_amd64.buildinfo
e7904aa4a8359d92e679e91a5c830cf99e597016a0b28bf9e668ca2e490ade71 226802 curl_7.52.1-1_amd64.deb
e324f3c550cfaacf174dc84c62b18922c6283c35bc9b7448e75a1def902a73de 5002904 libcurl3-dbg_7.52.1-1_amd64.deb
a0e9d7eda07b5b7941b6d594ac554f28e1d88ccae1768d9ea9f9a0266f194047 288408 libcurl3-gnutls_7.52.1-1_amd64.deb
b2355db7561c43dd460344660b427133d428de2f97b024bbe2885d9ed0bb0055 294162 libcurl3-nss_7.52.1-1_amd64.deb
9605219fcd4004b566abd1a8ba45ec318ed134ab5bd0e85cf8d19d919628f23e 290154 libcurl3_7.52.1-1_amd64.deb
f21130f39768485a974dacd1cae3d1b50cefe9c7bbe7fbfcfd576505f15f0f6d 827038 libcurl4-doc_7.52.1-1_all.deb
33e3d357a3a656f6e2ec5791783b931a8197dcf247b4919f4bfa6de60738a197 371308 libcurl4-gnutls-dev_7.52.1-1_amd64.deb
2ba1cabaa86fa0defd5278e0c4ed3d140e46c0474153054d2fce5da77d8b140e 376806 libcurl4-nss-dev_7.52.1-1_amd64.deb
0c4861f64caac8b877082a181cf0d1ddd08714d403749cd576426f5a0cf54e23 373002 libcurl4-openssl-dev_7.52.1-1_amd64.deb
Files:
d448a2feed4c3e0c82071820ab6a31fe 2765 web optional curl_7.52.1-1.dsc
4e1ef056e117b4d25f4ec42ac609c0d4 3504621 web optional curl_7.52.1.orig.tar.gz
787812269be20cb55f1069666380bd2f 27964 web optional curl_7.52.1-1.debian.tar.xz
485dd209cee9aedc9fc4e23779ead6a3 131900 debug extra curl-dbgsym_7.52.1-1_amd64.deb
25d362645e57932f4dfbf761f9522c5a 9281 web optional curl_7.52.1-1_amd64.buildinfo
be2397dd16d53134be0378f6b5cdedf6 226802 web optional curl_7.52.1-1_amd64.deb
ae22c811f711d5432741549db32db5ae 5002904 debug extra libcurl3-dbg_7.52.1-1_amd64.deb
12470f8da06bd8752036ca8f908187fa 288408 libs optional libcurl3-gnutls_7.52.1-1_amd64.deb
430727a175f38f21987a821dcb4bb222 294162 libs optional libcurl3-nss_7.52.1-1_amd64.deb
ace983b87ab3070450274a2fde1c8ace 290154 libs optional libcurl3_7.52.1-1_amd64.deb
671d998022a5ea4f165524933f1cfddd 827038 doc optional libcurl4-doc_7.52.1-1_all.deb
1ad23b6cd3e10c4488c232e26fbc064c 371308 libdevel optional libcurl4-gnutls-dev_7.52.1-1_amd64.deb
d35ce6c0c413084fed67a13a2f2e2787 376806 libdevel optional libcurl4-nss-dev_7.52.1-1_amd64.deb
fb4c30cb13f6aa7df927e3b4e273ce91 373002 libdevel optional libcurl4-openssl-dev_7.52.1-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEBsId305pBx+F583DbwzL4CFiRygFAlh4BIYACgkQbwzL4CFi
Ryj0xxAAqU5tMOrz2bwPJ6uS8B6ozidMNpL+ZcjgbnvEOzqmE92Ra50SC/OZuVDB
R2VIF6+Iq9dRV6bdxY+gewwYYY1GUxrcd89lItE7KUW/ArfiEE2v2+lq+7ZhYeUm
xoHY637EUpXK/5Te1lRDJHkMiTToTzYU7r3BH9n/f9+Ip6DgajfBq1ERjjtYvNFR
W141DI0bAG3JZBOR2AC5/kz/AG2nkUXLDfBJZQjRPJMs9yXlrPBMS3QgWKPG1Ide
xMaaH0/lHUvT6Nnpu+dtc31Gfs8jsGL7X4oOpmIKlPpzLBwnKPHY4JHkJ5BjADCn
3GOZfvCgxw/Qwrz4ZDD6gm7M1GIitz6WHBRJPN8i7vB362kl12TkVwSGs3+4g5o1
9JlCeWsu4KIuO/17Vfcb1cM1JktvWU9+fSUGdFHJ2FEdhxcHkHg3qeVW/Yu5q1b5
Mu6wdIiF7PthzlDTESIjFArEM0gprWDJG8pJ0uoe90SC87dXJB0Z9TKeaI922yBJ
zejoRI2bM4kkhOoevtfDXWdUsKQol4s17wlyqddH4gv46bPDlmquwRjv7dMjTmMp
QD7nCJGgeyeNCDS1NHk7M1xVoy1D6Gtslz9v8yWt4EbyA06983kagrhDt0hFKk3x
TTzlHJrzw9ii5AI2rg6hc10vipbdVMcGkQ2a/+dVxu6g29z21ZQ=
=6r7C
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 27 Mar 2017 07:28:23 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:11:30 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon