Aviso de seguridad de Debian
DSA-919-2 curl -- desbordamiento de buffer
- Fecha del informe:
- 12 de dic de 2005
- Paquetes afectados:
- curl
- Vulnerable:
- Sí
- Referencias a bases de datos de seguridad:
- En el sistema de seguimiento de errores de Debian: error 342339, error 342696.
En la base de datos de Bugtraq (en SecurityFocus): Id. en BugTraq 15756, Id. en BugTraq 15102, Id. en BugTraq 15647.
En el diccionario CVE de Mitre: CVE-2005-4077, CVE-2005-3185. - Información adicional:
-
El desarrollador de curl, una biblioteca para la transferencia de archivos mediante varios protocolos, nos informó de que la corercción anterior a varios errores de desplazamiento por uno no son suficientes. Para una mejor comprensión del problema original y de su solución, se reproduce a continuación la descripción original del error::
Se han descubierto varios problemas en libcurl, una biblioteca de transferencia de archivos para varios protocolos. El proyecto Common Vulnerabilities and Exposures identifica los siguientes problemas:
- CVE-2005-3185
Se ha descubierto un desbordamiento de bufer en libcurl, que permitía la ejecución de código arbitrario.
- CVE-2005-4077
Stefan Esser descubrió varios errores de desplazamiento por uno que permitía que los usuarios locales produjeran un desbordamiento de buffer y provocara una denegación de servicio, o que eludiese las restricciones de seguridad de PHP mediante ciertos URLs.
Para la distribución estable anterior (woody), estos problemas se han corregido en la versión 7.9.5-1woody2.
Para la distribución estable (sarge), estos problemas se han corregido en la versión 7.13.2-2sarge5. Esta actualización también incluye una corrección de error que previene la corrupción de datos.
Para la distribución inestable (sid), estos problemas se han corregido en la versión 7.15.1-1.
Le recomendamos que actualice los paquetes de libcurl.
- CVE-2005-3185
- Arreglado en:
-
Debian GNU/Linux 3.0 (woody)
- Fuentes:
- http://security.debian.org/pool/updates/main/c/curl/curl_7.9.5-1woody2.dsc
- http://security.debian.org/pool/updates/main/c/curl/curl_7.9.5-1woody2.diff.gz
- http://security.debian.org/pool/updates/main/c/curl/curl_7.9.5.orig.tar.gz
- http://security.debian.org/pool/updates/main/c/curl/curl_7.9.5-1woody2.diff.gz
- Alpha:
- http://security.debian.org/pool/updates/main/c/curl/curl_7.9.5-1woody2_alpha.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl-dev_7.9.5-1woody2_alpha.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl2_7.9.5-1woody2_alpha.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl-dev_7.9.5-1woody2_alpha.deb
- ARM:
- http://security.debian.org/pool/updates/main/c/curl/curl_7.9.5-1woody2_arm.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl-dev_7.9.5-1woody2_arm.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl2_7.9.5-1woody2_arm.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl-dev_7.9.5-1woody2_arm.deb
- Intel IA-32:
- http://security.debian.org/pool/updates/main/c/curl/curl_7.9.5-1woody2_i386.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl-dev_7.9.5-1woody2_i386.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl2_7.9.5-1woody2_i386.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl-dev_7.9.5-1woody2_i386.deb
- Intel IA-64:
- http://security.debian.org/pool/updates/main/c/curl/curl_7.9.5-1woody2_ia64.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl-dev_7.9.5-1woody2_ia64.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl2_7.9.5-1woody2_ia64.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl-dev_7.9.5-1woody2_ia64.deb
- HPPA:
- http://security.debian.org/pool/updates/main/c/curl/curl_7.9.5-1woody2_hppa.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl-dev_7.9.5-1woody2_hppa.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl2_7.9.5-1woody2_hppa.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl-dev_7.9.5-1woody2_hppa.deb
- Motorola 680x0:
- http://security.debian.org/pool/updates/main/c/curl/curl_7.9.5-1woody2_m68k.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl-dev_7.9.5-1woody2_m68k.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl2_7.9.5-1woody2_m68k.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl-dev_7.9.5-1woody2_m68k.deb
- Big endian MIPS:
- http://security.debian.org/pool/updates/main/c/curl/curl_7.9.5-1woody2_mips.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl-dev_7.9.5-1woody2_mips.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl2_7.9.5-1woody2_mips.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl-dev_7.9.5-1woody2_mips.deb
- Little endian MIPS:
- http://security.debian.org/pool/updates/main/c/curl/curl_7.9.5-1woody2_mipsel.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl-dev_7.9.5-1woody2_mipsel.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl2_7.9.5-1woody2_mipsel.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl-dev_7.9.5-1woody2_mipsel.deb
- PowerPC:
- http://security.debian.org/pool/updates/main/c/curl/curl_7.9.5-1woody2_powerpc.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl-dev_7.9.5-1woody2_powerpc.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl2_7.9.5-1woody2_powerpc.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl-dev_7.9.5-1woody2_powerpc.deb
- IBM S/390:
- http://security.debian.org/pool/updates/main/c/curl/curl_7.9.5-1woody2_s390.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl-dev_7.9.5-1woody2_s390.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl2_7.9.5-1woody2_s390.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl-dev_7.9.5-1woody2_s390.deb
- Sun Sparc:
- http://security.debian.org/pool/updates/main/c/curl/curl_7.9.5-1woody2_sparc.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl-dev_7.9.5-1woody2_sparc.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl2_7.9.5-1woody2_sparc.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl-dev_7.9.5-1woody2_sparc.deb
Debian GNU/Linux 3.1 (sarge)
- Fuentes:
- http://security.debian.org/pool/updates/main/c/curl/curl_7.13.2-2sarge5.dsc
- http://security.debian.org/pool/updates/main/c/curl/curl_7.13.2-2sarge5.diff.gz
- http://security.debian.org/pool/updates/main/c/curl/curl_7.13.2.orig.tar.gz
- http://security.debian.org/pool/updates/main/c/curl/curl_7.13.2-2sarge5.diff.gz
- Alpha:
- http://security.debian.org/pool/updates/main/c/curl/curl_7.13.2-2sarge5_alpha.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.13.2-2sarge5_alpha.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.13.2-2sarge5_alpha.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl3-dev_7.13.2-2sarge5_alpha.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl3-gssapi_7.13.2-2sarge5_alpha.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.13.2-2sarge5_alpha.deb
- AMD64:
- http://security.debian.org/pool/updates/main/c/curl/curl_7.13.2-2sarge5_amd64.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.13.2-2sarge5_amd64.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.13.2-2sarge5_amd64.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl3-dev_7.13.2-2sarge5_amd64.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl3-gssapi_7.13.2-2sarge5_amd64.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.13.2-2sarge5_amd64.deb
- ARM:
- http://security.debian.org/pool/updates/main/c/curl/curl_7.13.2-2sarge5_arm.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.13.2-2sarge5_arm.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.13.2-2sarge5_arm.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl3-dev_7.13.2-2sarge5_arm.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl3-gssapi_7.13.2-2sarge5_arm.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.13.2-2sarge5_arm.deb
- Intel IA-32:
- http://security.debian.org/pool/updates/main/c/curl/curl_7.13.2-2sarge5_i386.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.13.2-2sarge5_i386.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.13.2-2sarge5_i386.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl3-dev_7.13.2-2sarge5_i386.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl3-gssapi_7.13.2-2sarge5_i386.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.13.2-2sarge5_i386.deb
- Intel IA-64:
- http://security.debian.org/pool/updates/main/c/curl/curl_7.13.2-2sarge5_ia64.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.13.2-2sarge5_ia64.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.13.2-2sarge5_ia64.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl3-dev_7.13.2-2sarge5_ia64.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl3-gssapi_7.13.2-2sarge5_ia64.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.13.2-2sarge5_ia64.deb
- HPPA:
- http://security.debian.org/pool/updates/main/c/curl/curl_7.13.2-2sarge5_hppa.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.13.2-2sarge5_hppa.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.13.2-2sarge5_hppa.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl3-dev_7.13.2-2sarge5_hppa.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl3-gssapi_7.13.2-2sarge5_hppa.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.13.2-2sarge5_hppa.deb
- Motorola 680x0:
- http://security.debian.org/pool/updates/main/c/curl/curl_7.13.2-2sarge5_m68k.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.13.2-2sarge5_m68k.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.13.2-2sarge5_m68k.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl3-dev_7.13.2-2sarge5_m68k.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl3-gssapi_7.13.2-2sarge5_m68k.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.13.2-2sarge5_m68k.deb
- Big endian MIPS:
- http://security.debian.org/pool/updates/main/c/curl/curl_7.13.2-2sarge5_mips.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.13.2-2sarge5_mips.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.13.2-2sarge5_mips.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl3-dev_7.13.2-2sarge5_mips.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl3-gssapi_7.13.2-2sarge5_mips.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.13.2-2sarge5_mips.deb
- Little endian MIPS:
- http://security.debian.org/pool/updates/main/c/curl/curl_7.13.2-2sarge5_mipsel.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.13.2-2sarge5_mipsel.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.13.2-2sarge5_mipsel.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl3-dev_7.13.2-2sarge5_mipsel.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl3-gssapi_7.13.2-2sarge5_mipsel.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.13.2-2sarge5_mipsel.deb
- PowerPC:
- http://security.debian.org/pool/updates/main/c/curl/curl_7.13.2-2sarge5_powerpc.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.13.2-2sarge5_powerpc.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.13.2-2sarge5_powerpc.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl3-dev_7.13.2-2sarge5_powerpc.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl3-gssapi_7.13.2-2sarge5_powerpc.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.13.2-2sarge5_powerpc.deb
- IBM S/390:
- http://security.debian.org/pool/updates/main/c/curl/curl_7.13.2-2sarge5_s390.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.13.2-2sarge5_s390.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.13.2-2sarge5_s390.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl3-dev_7.13.2-2sarge5_s390.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl3-gssapi_7.13.2-2sarge5_s390.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.13.2-2sarge5_s390.deb
- Sun Sparc:
- http://security.debian.org/pool/updates/main/c/curl/curl_7.13.2-2sarge5_sparc.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.13.2-2sarge5_sparc.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.13.2-2sarge5_sparc.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl3-dev_7.13.2-2sarge5_sparc.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl3-gssapi_7.13.2-2sarge5_sparc.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.13.2-2sarge5_sparc.deb
Las sumas MD5 de los ficheros que se listan están disponibles en el aviso original.
Las sumas MD5 de los ficheros que se listan están disponibles en el aviso revisado.