[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#774900: marked as done (unblock: curl/7.38.0-4)

Your message dated Thu, 08 Jan 2015 21:29:34 +0100
with message-id <54AEE8AE.8050909@thykier.net>
and subject line Re: Bug#774900: unblock: curl/7.38.0-4
has caused the Debian Bug report #774900,
regarding unblock: curl/7.38.0-4
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
774900: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774900
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package curl, it provides a patch for CVE-2014-8150.

See attached debdiff.

unblock curl/7.38.0-4

-- System Information:
Debian Release: 8.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

diff -Nru curl-7.38.0/debian/changelog curl-7.38.0/debian/changelog
--- curl-7.38.0/debian/changelog	2014-11-06 11:40:27.000000000 +0100
+++ curl-7.38.0/debian/changelog	2015-01-08 10:47:32.000000000 +0100
@@ -1,3 +1,11 @@
+curl (7.38.0-4) unstable; urgency=high
+
+  * Fix URL request injection vulnerability as per CVE-2014-8150
+    http://curl.haxx.se/docs/adv_20150108B.html
+  * Set urgency=high accordingly
+
+ -- Alessandro Ghedini <ghedo@debian.org>  Thu, 08 Jan 2015 10:47:24 +0100
+
 curl (7.38.0-3) unstable; urgency=high
 
   * Enable all hardening options (Closes: #763372)
diff -Nru curl-7.38.0/debian/patches/12_CVE-2014-8150.patch curl-7.38.0/debian/patches/12_CVE-2014-8150.patch
--- curl-7.38.0/debian/patches/12_CVE-2014-8150.patch	1970-01-01 01:00:00.000000000 +0100
+++ curl-7.38.0/debian/patches/12_CVE-2014-8150.patch	2015-01-08 10:47:32.000000000 +0100
@@ -0,0 +1,27 @@
+From 4e2ac2afa94f014a2a015c48c678e2367a63ae82 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 25 Dec 2014 23:55:03 +0100
+Subject: [PATCH] url-parsing: reject CRLFs within URLs
+
+Bug: http://curl.haxx.se/docs/adv_20150108B.html
+Reported-by: Andrey Labunets
+---
+ lib/url.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -3784,6 +3784,13 @@
+ 
+   *prot_missing = FALSE;
+ 
++  /* We might pass the entire URL into the request so we need to make sure
++   * there are no bad characters in there.*/
++  if(strpbrk(data->change.url, "\r\n")) {
++    failf(data, "Illegal characters found in URL");
++    return CURLE_URL_MALFORMAT;
++  }
++
+   /*************************************************************
+    * Parse the URL.
+    *
diff -Nru curl-7.38.0/debian/patches/series curl-7.38.0/debian/patches/series
--- curl-7.38.0/debian/patches/series	2014-11-06 11:40:27.000000000 +0100
+++ curl-7.38.0/debian/patches/series	2015-01-08 10:47:32.000000000 +0100
@@ -8,6 +8,7 @@
 09_libtoolize_check.patch
 10_fix-resolver.patch
 11_CVE-2014-3707.patch
+12_CVE-2014-8150.patch
 
 # do not add patches below
 90_gnutls.patch

--- End Message ---
--- Begin Message --- 
On 2015-01-08 21:09, Alessandro Ghedini wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> 
> Please unblock package curl, it provides a patch for CVE-2014-8150.
> 
> See attached debdiff.
> 
> unblock curl/7.38.0-4
> 
> [...]

Unblocked, thanks.

~Niels

--- End Message ---
Reply to: