Debian Bug report logs -
#518423
[CVE-2009-0037] libcurl Arbitrary File Access
Reported by: Daniel Leidert <daniel.leidert@wgdd.de>
Date: Thu, 5 Mar 2009 23:57:01 UTC
Severity: critical
Tags: security
Found in version curl/7.18.2-8
Fixed in versions curl/7.18.2-8.1, curl/7.19.5-1
Done: Nico Golde <nion@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Domenico Andreoli <cavok@debian.org>:
Bug#518423; Package libcurl3.
(Thu, 05 Mar 2009 23:57:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Daniel Leidert <daniel.leidert@wgdd.de>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Domenico Andreoli <cavok@debian.org>.
(Thu, 05 Mar 2009 23:57:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: libcurl3
Version: 7.18.2-8
Severity: critical
Tags: security
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
See http://curl.haxx.se/docs/adv_20090303.html. Ubuntu already fixed it,
so there is a patch available.
Regards, Daniel
- -- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (850, 'unstable'), (550, 'stable'), (500, 'oldstable'), (110, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.26-1-686 (SMP w/1 CPU core)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages libcurl3 depends on:
ii ca-certificates 20081127 Common CA certificates
ii libc6 2.9-4 GNU C Library: Shared libraries
ii libidn11 1.12-1 GNU Libidn library, implementation
ii libkrb53 1.6.dfsg.4~beta1-9 Transitional library package/krb4
ii libldap-2.4-2 2.4.15-1 OpenLDAP libraries
ii libssh4-1 1.0-1 SSH2 client-side library
ii libssl0.9.8 0.9.8g-15 SSL shared libraries
ii zlib1g 1:1.2.3.3.dfsg-13 compression library - runtime
libcurl3 recommends no packages.
libcurl3 suggests no packages.
- -- no debconf information
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkmwZlEACgkQm0bx+wiPa4xz1ACeNEM3PVCMa2UXD5HzJ7kiuYJD
e7QAnR7nBm77AsE7H3La/YXUwe++PMti
=Gv74
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Domenico Andreoli <cavok@debian.org>:
Bug#518423; Package libcurl3.
(Wed, 11 Mar 2009 14:51:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Domenico Andreoli <cavok@debian.org>.
(Wed, 11 Mar 2009 14:51:02 GMT) (full text, mbox, link).
Message #10 received at 518423@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
I intent to upload a 0-day NMU for this in order to get this
fixed synchronized with the oldstable and stable DSAs.
A debdiff is attached and archived on:
http://people.debian.org/~nion/nmu-diff/curl-7.18.2-8_7.18.2-8.1.patch
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[curl-7.18.2-8_7.18.2-8.1.patch (text/x-diff, attachment)]
[Message part 3 (application/pgp-signature, inline)]
Reply sent
to Nico Golde <nion@debian.org>:
You have taken responsibility.
(Wed, 11 Mar 2009 15:42:13 GMT) (full text, mbox, link).
Notification sent
to Daniel Leidert <daniel.leidert@wgdd.de>:
Bug acknowledged by developer.
(Wed, 11 Mar 2009 15:42:13 GMT) (full text, mbox, link).
Message #15 received at 518423-close@bugs.debian.org (full text, mbox, reply):
Source: curl
Source-Version: 7.18.2-8.1
We believe that the bug you reported is fixed in the latest version of
curl, which is due to be installed in the Debian FTP archive:
curl_7.18.2-8.1.diff.gz
to pool/main/c/curl/curl_7.18.2-8.1.diff.gz
curl_7.18.2-8.1.dsc
to pool/main/c/curl/curl_7.18.2-8.1.dsc
curl_7.18.2-8.1_amd64.deb
to pool/main/c/curl/curl_7.18.2-8.1_amd64.deb
libcurl3-dbg_7.18.2-8.1_amd64.deb
to pool/main/c/curl/libcurl3-dbg_7.18.2-8.1_amd64.deb
libcurl3-gnutls_7.18.2-8.1_amd64.deb
to pool/main/c/curl/libcurl3-gnutls_7.18.2-8.1_amd64.deb
libcurl3_7.18.2-8.1_amd64.deb
to pool/main/c/curl/libcurl3_7.18.2-8.1_amd64.deb
libcurl4-gnutls-dev_7.18.2-8.1_amd64.deb
to pool/main/c/curl/libcurl4-gnutls-dev_7.18.2-8.1_amd64.deb
libcurl4-openssl-dev_7.18.2-8.1_amd64.deb
to pool/main/c/curl/libcurl4-openssl-dev_7.18.2-8.1_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 518423@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated curl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 11 Mar 2009 15:33:08 +0100
Source: curl
Binary: curl libcurl3 libcurl3-gnutls libcurl4-openssl-dev libcurl4-gnutls-dev libcurl3-dbg
Architecture: source amd64
Version: 7.18.2-8.1
Distribution: unstable
Urgency: high
Maintainer: Domenico Andreoli <cavok@debian.org>
Changed-By: Nico Golde <nion@debian.org>
Description:
curl - Get a file from an HTTP, HTTPS or FTP server
libcurl3 - Multi-protocol file transfer library (OpenSSL)
libcurl3-dbg - libcurl compiled with debug symbols
libcurl3-gnutls - Multi-protocol file transfer library (GnuTLS)
libcurl4-gnutls-dev - Development files and documentation for libcurl (GnuTLS)
libcurl4-openssl-dev - Development files and documentation for libcurl (OpenSSL)
Closes: 518423
Changes:
curl (7.18.2-8.1) unstable; urgency=high
.
* Non-maintainer upload by the security team.
* Include upstream patch to prevent overwriting and reading arbitrary
local files or command execution via malicious redirects depending on
the setup curl is used in.
NOTE: This update introduces a new option called CURLOPT_REDIR_PROTOCOLS
which includes the protocols curl will follow on redirects, scp and file
are not included by default (CVE-2009-0037; Closes: #518423).
Checksums-Sha1:
5d86f1c5a62a9dbf0a6d5dfd4b1c1b2d1ef7d456 1402 curl_7.18.2-8.1.dsc
c08b70a2a04bffdb5f7c9693a7e96b0c0b4225ee 27463 curl_7.18.2-8.1.diff.gz
201e466faddd0b2d1ddfea8dbdcf07f8815df266 209292 curl_7.18.2-8.1_amd64.deb
168e65729c0cbfe9ce490cac00039d01abebfe9f 230774 libcurl3_7.18.2-8.1_amd64.deb
7363c7adf13e8e56dfd34701fc346825eb03361b 214634 libcurl3-gnutls_7.18.2-8.1_amd64.deb
7c1f31999070b009ce1b2c0621031987470eef8d 951892 libcurl4-openssl-dev_7.18.2-8.1_amd64.deb
063cc9300736d13a8e0766638c779ebb676c7952 931676 libcurl4-gnutls-dev_7.18.2-8.1_amd64.deb
8499ed1e212a0196660bde6905b0a4b877a7b099 1180246 libcurl3-dbg_7.18.2-8.1_amd64.deb
Checksums-Sha256:
2d257683cc160bbbc3fd357852ce74d6f14e459a390fca1cf9e6a88c411c662d 1402 curl_7.18.2-8.1.dsc
d7bb99e6a2334519a0db16fa11a03af98a8ed5649c805eeadcfbce2cc51588f7 27463 curl_7.18.2-8.1.diff.gz
833218d98cc56e476b654be3858ee911f91247a284a65fb0f099ac899cd8ed77 209292 curl_7.18.2-8.1_amd64.deb
c0fe7861386408e28d9e038c2b10dd07f84b387cf659879dc94f2eb9dc2690bd 230774 libcurl3_7.18.2-8.1_amd64.deb
8d21a992290a5aa9e3fd03919dc37a52fd67fe6f2c3a104e8e48a5c508590892 214634 libcurl3-gnutls_7.18.2-8.1_amd64.deb
119e00b147abcb74738f29ca98b37578ef32102bfc5f41d4e84f8a7cc406929b 951892 libcurl4-openssl-dev_7.18.2-8.1_amd64.deb
8b4a0d71b8e43bd867c02ab4dce57f27608a59a7be610a34288a39b0cb99de9d 931676 libcurl4-gnutls-dev_7.18.2-8.1_amd64.deb
64d30157ad6f8d0e3cc70462a002ee60bf7a0cd89a5383812005cc387790aabe 1180246 libcurl3-dbg_7.18.2-8.1_amd64.deb
Files:
b74779128eabfe37571c5112ce10e91b 1402 web optional curl_7.18.2-8.1.dsc
0a643b8439c6d1fa7b91c0b27da5d781 27463 web optional curl_7.18.2-8.1.diff.gz
736a5cdfbebef5180d02a4f47fe6f66a 209292 web optional curl_7.18.2-8.1_amd64.deb
11c1a30604adef38c161df23ecae82a8 230774 libs optional libcurl3_7.18.2-8.1_amd64.deb
debce426c791274182376458f48a1615 214634 libs optional libcurl3-gnutls_7.18.2-8.1_amd64.deb
a33a48f2fbf9c1bc51303e0b4e25c0e3 951892 libdevel optional libcurl4-openssl-dev_7.18.2-8.1_amd64.deb
0a5d0758b31a6dfffee57e59e16b95d7 931676 libdevel optional libcurl4-gnutls-dev_7.18.2-8.1_amd64.deb
286f14c07e59801ebb19d0b89a0f74c1 1180246 libdevel extra libcurl3-dbg_7.18.2-8.1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkm30iAACgkQHYflSXNkfP/CRgCfeExSasg9ZuGGYbEGTzGuL595
6MYAn1IIlBuFYc2cWFnBz0cbqFCmJpbY
=qld8
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Domenico Andreoli <cavok@debian.org>:
Bug#518423; Package libcurl3.
(Sat, 06 Jun 2009 02:33:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Ben Finney <ben+debian@benfinney.id.au>:
Extra info received and forwarded to list. Copy sent to Domenico Andreoli <cavok@debian.org>.
(Sat, 06 Jun 2009 02:33:05 GMT) (full text, mbox, link).
Message #20 received at 518423@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On 11-Mar-2009, Nico Golde wrote:
> Source: curl
> Source-Version: 7.18.2-8.1
> …
>
> Closes: 518423
> Changes:
> curl (7.18.2-8.1) unstable; urgency=high
> .
> * Non-maintainer upload by the security team.
> * Include upstream patch to prevent overwriting and reading arbitrary
> local files or command execution via malicious redirects depending on
> the setup curl is used in.
> NOTE: This update introduces a new option called CURLOPT_REDIR_PROTOCOLS
> which includes the protocols curl will follow on redirects, scp and file
> are not included by default (CVE-2009-0037; Closes: #518423).
This bug fix has not yet made it into Sid, which is blocking the
progression of ‘pycurl’ into Squeeze since it has a dependency on a
newer version of ‘curl’.
What is the prognosis for getting this fix into Squeeze?
--
\ “Facts are meaningless. You could use facts to prove anything |
`\ that's even remotely true!” —Homer, _The Simpsons_ |
_o__) |
Ben Finney <ben@benfinney.id.au>
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Domenico Andreoli <cavok@debian.org>:
Bug#518423; Package libcurl3.
(Sat, 13 Jun 2009 13:57:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Andreas Schuldei <andreas@schuldei.org>:
Extra info received and forwarded to list. Copy sent to Domenico Andreoli <cavok@debian.org>.
(Sat, 13 Jun 2009 13:57:02 GMT) (full text, mbox, link).
Message #25 received at 518423@bugs.debian.org (full text, mbox, reply):
fixed 518423 7.19.5-1
* Ben Finney (ben+debian@benfinney.id.au) [090606 04:34]:
> On 11-Mar-2009, Nico Golde wrote:
> > Source: curl
> > Source-Version: 7.18.2-8.1
> > …
> >
> > Closes: 518423
> > Changes:
> > curl (7.18.2-8.1) unstable; urgency=high
> > .
> > * Non-maintainer upload by the security team.
> > * Include upstream patch to prevent overwriting and reading arbitrary
> > local files or command execution via malicious redirects depending on
> > the setup curl is used in.
> > NOTE: This update introduces a new option called CURLOPT_REDIR_PROTOCOLS
> > which includes the protocols curl will follow on redirects, scp and file
> > are not included by default (CVE-2009-0037; Closes: #518423).
>
> This bug fix has not yet made it into Sid, which is blocking the
> progression of ‘pycurl’ into Squeeze since it has a dependency on a
> newer version of ‘curl’.
>
> What is the prognosis for getting this fix into Squeeze?
>
Information forwarded
to debian-bugs-dist@lists.debian.org, Domenico Andreoli <cavok@debian.org>:
Bug#518423; Package libcurl3.
(Sun, 21 Jun 2009 03:39:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Ben Finney <ben+debian@benfinney.id.au>:
Extra info received and forwarded to list. Copy sent to Domenico Andreoli <cavok@debian.org>.
(Sun, 21 Jun 2009 03:39:02 GMT) (full text, mbox, link).
Message #30 received at 518423@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On 13-Jun-2009, Andreas Schuldei wrote:
> fixed 518423 7.19.5-1
Did you intend for this to go to the Debian BTS control bot? It's only
gone to the bug report and the reporter.
--
\ “It's a small world, but I wouldn't want to have to paint it.” |
`\ —Steven Wright |
_o__) |
Ben Finney <ben@benfinney.id.au>
[signature.asc (application/pgp-signature, inline)]
Bug marked as fixed in version 7.19.5-1.
Request was from Andreas Schuldei <andreas@schuldei.org>
to control@bugs.debian.org.
(Fri, 10 Jul 2009 22:48:03 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 07 Feb 2011 07:46:52 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:23:14 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon