Debian Bug report logs -
#929352
curl: CVE-2019-5435: Integer overflows in curl_url_set
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 22 May 2019 07:45:02 UTC
Severity: important
Tags: security, upstream
Found in version curl/7.64.0-3
Fixed in version curl/7.64.0-4
Done: Alessandro Ghedini <ghedo@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Alessandro Ghedini <ghedo@debian.org>:
Bug#929352; Package src:curl.
(Wed, 22 May 2019 07:45:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Alessandro Ghedini <ghedo@debian.org>.
(Wed, 22 May 2019 07:45:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: curl
Version: 7.64.0-3
Severity: important
Tags: security upstream
Hi,
The following vulnerability was published for curl.
CVE-2019-5435[0]:
Integer overflows in curl_url_set
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-5435
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5435
[1] https://www.openwall.com/lists/oss-security/2019/05/22/2
[2] https://curl.haxx.se/docs/CVE-2019-5435.html
Please adjust the affected versions in the BTS as needed, stretch is
afaict not affected but needs to check if we backported the
introducing commit.
Regards,
Salvatore
Reply sent
to Alessandro Ghedini <ghedo@debian.org>:
You have taken responsibility.
(Fri, 14 Jun 2019 20:39:06 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Fri, 14 Jun 2019 20:39:06 GMT) (full text, mbox, link).
Message #10 received at 929352-close@bugs.debian.org (full text, mbox, reply):
Source: curl
Source-Version: 7.64.0-4
We believe that the bug you reported is fixed in the latest version of
curl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 929352@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Alessandro Ghedini <ghedo@debian.org> (supplier of updated curl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 14 Jun 2019 19:23:32 +0100
Source: curl
Architecture: source
Version: 7.64.0-4
Distribution: unstable
Urgency: medium
Maintainer: Alessandro Ghedini <ghedo@debian.org>
Changed-By: Alessandro Ghedini <ghedo@debian.org>
Closes: 929351 929352
Changes:
curl (7.64.0-4) unstable; urgency=medium
.
* Fix TFTP receive buffer overflow as per CVE-2019-5436 (Closes: #929351)
https://curl.haxx.se/docs/CVE-2019-5436.html
* Fix integer overflow in curl_url_set() as per CVE-2019-5435 (Closes: #929352)
https://curl.haxx.se/docs/CVE-2019-5435.html
Checksums-Sha1:
f84a68983aca6a5e5efc0e0cf7c5cce4ece84870 2687 curl_7.64.0-4.dsc
5da2752914c68179c2d49ac9ed0f098bc7e65d40 33244 curl_7.64.0-4.debian.tar.xz
5bf9fdbb5573b85a710e9ca8b89af9244028dfd0 10858 curl_7.64.0-4_amd64.buildinfo
Checksums-Sha256:
25dfed6bc3a595b8054608a6a7a44fba1c5be851f47760a3743d438d070b43c3 2687 curl_7.64.0-4.dsc
15618c3b4e0000dd65d6708d9ca362a7f33327fb4362ac8802028504051aba0c 33244 curl_7.64.0-4.debian.tar.xz
90768192e17130c942b067ca645a4db507ae57d061e9a7c616593c5e172d0750 10858 curl_7.64.0-4_amd64.buildinfo
Files:
a825ac47019403026ada41763e4d230a 2687 web optional curl_7.64.0-4.dsc
f42625d2a812b48118d322e2894b2772 33244 web optional curl_7.64.0-4.debian.tar.xz
248799831bba0ca82e2d238cd94e1dbe 10858 web optional curl_7.64.0-4_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCgAvFiEEBsId305pBx+F583DbwzL4CFiRygFAl0D+CkRHGdoZWRvQGRl
Ymlhbi5vcmcACgkQbwzL4CFiRyj+5RAAmt5fZNBh/f061WT2VOM9A060C9bw7/41
V1ntDDLFoym4teds6h4Zmw1NfWVgvGwxTvfmIWyACH08Wexms1aKYNEwqp8lHAAk
wjCO8eR66zLH+fJOAHwFANyFeLWgBnAq7GDPdwbffthljb89EU6ea7NEJWoVEGaD
8uUe7Dq4PSh4iTnqmAnsIjK2supKl4c0fbXuAl4+O908RWC/NMH/KIii/RXIfoSy
HaBu9MzdxibKoK2ixp+2Jf1WzTUkZolBnxT7T7v4a1LMgEYeyvtd84hbcYi6mN6g
RauehJ7Joytt/BX3q349A0Qr9wEp4HdU75q9oAEzBNj1sjL2R5e+I9ST1jmyBvs4
XAjedYM/MLDVfRxZwRaks/aocz7iU6bH41AqoapCYf4yGJgvobVGgIn54BVKNSjF
cBkQ6vABTfdtpL9tLuu9DrM5Qsk/KTAg2r11LKvSa+3QvEtxHA3tSQiKJ3ILr8cq
pzTptTf4nPs3l8jJdpulTfHqIRpE8JHuW4Y9NFjp6BZ1goydBqt7OLJImohbbS9q
f/YYXaa4Qs8C4EdJInk9PHD8QgWz+QZgQ6T+zUXyucTfN0sKi8c2K83KfDir5qx1
Y7fTWuPjpTop08CAbWhiHHSfj0zKkIuB1Kzx9D2b10Vkrvi+Qq6IND5Ot9m8jeDS
ESR/ksfz2Eg=
=P95m
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:23:11 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon