Debian Security Advisory
DSA-2023-1 curl -- buffer overflow
- Date Reported:
- 28 Mar 2010
- Affected Packages:
- curl
- Vulnerable:
- Yes
- Security database references:
- In Mitre's CVE dictionary: CVE-2010-0734.
- More information:
-
Wesley Miaw discovered that libcurl, a multi-protocol file transfer library, is prone to a buffer overflow via the callback function when an application relies on libcurl to automatically uncompress data. Note that this only affects applications that trust libcurl's maximum limit for a fixed buffer size and do not perform any sanity checks themselves.
For the stable distribution (lenny), this problem has been fixed in version 7.18.2-8lenny4.
Due to a problem with the archive software, we are unable to release all architectures simultaneously. Binaries for the hppa, ia64, mips, mipsel and s390 architectures will be provided once they are available.
For the testing distribution (squeeze) and the unstable distribution (sid), this problem has been fixed in version 7.20.0-1.
We recommend that you upgrade your curl packages.
- Fixed in:
-
Debian GNU/Linux 5.0 (lenny)
- Source:
- http://security.debian.org/pool/updates/main/c/curl/curl_7.18.2-8lenny4.dsc
- http://security.debian.org/pool/updates/main/c/curl/curl_7.18.2.orig.tar.gz
- http://security.debian.org/pool/updates/main/c/curl/curl_7.18.2-8lenny4.diff.gz
- http://security.debian.org/pool/updates/main/c/curl/curl_7.18.2.orig.tar.gz
- Alpha:
- http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls_7.18.2-8lenny4_alpha.deb
- http://security.debian.org/pool/updates/main/c/curl/curl_7.18.2-8lenny4_alpha.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl4-openssl-dev_7.18.2-8lenny4_alpha.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.18.2-8lenny4_alpha.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl4-gnutls-dev_7.18.2-8lenny4_alpha.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.18.2-8lenny4_alpha.deb
- http://security.debian.org/pool/updates/main/c/curl/curl_7.18.2-8lenny4_alpha.deb
- AMD64:
- http://security.debian.org/pool/updates/main/c/curl/libcurl4-gnutls-dev_7.18.2-8lenny4_amd64.deb
- http://security.debian.org/pool/updates/main/c/curl/curl_7.18.2-8lenny4_amd64.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls_7.18.2-8lenny4_amd64.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.18.2-8lenny4_amd64.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.18.2-8lenny4_amd64.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl4-openssl-dev_7.18.2-8lenny4_amd64.deb
- http://security.debian.org/pool/updates/main/c/curl/curl_7.18.2-8lenny4_amd64.deb
- ARM:
- http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.18.2-8lenny4_arm.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls_7.18.2-8lenny4_arm.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl4-gnutls-dev_7.18.2-8lenny4_arm.deb
- http://security.debian.org/pool/updates/main/c/curl/curl_7.18.2-8lenny4_arm.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.18.2-8lenny4_arm.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl4-openssl-dev_7.18.2-8lenny4_arm.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls_7.18.2-8lenny4_arm.deb
- ARM EABI:
- http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.18.2-8lenny4_armel.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl4-openssl-dev_7.18.2-8lenny4_armel.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl4-gnutls-dev_7.18.2-8lenny4_armel.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls_7.18.2-8lenny4_armel.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.18.2-8lenny4_armel.deb
- http://security.debian.org/pool/updates/main/c/curl/curl_7.18.2-8lenny4_armel.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl4-openssl-dev_7.18.2-8lenny4_armel.deb
- Intel IA-32:
- http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.18.2-8lenny4_i386.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.18.2-8lenny4_i386.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl4-openssl-dev_7.18.2-8lenny4_i386.deb
- http://security.debian.org/pool/updates/main/c/curl/curl_7.18.2-8lenny4_i386.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls_7.18.2-8lenny4_i386.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl4-gnutls-dev_7.18.2-8lenny4_i386.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.18.2-8lenny4_i386.deb
- PowerPC:
- http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.18.2-8lenny4_powerpc.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls_7.18.2-8lenny4_powerpc.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl4-openssl-dev_7.18.2-8lenny4_powerpc.deb
- http://security.debian.org/pool/updates/main/c/curl/curl_7.18.2-8lenny4_powerpc.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl4-gnutls-dev_7.18.2-8lenny4_powerpc.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.18.2-8lenny4_powerpc.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls_7.18.2-8lenny4_powerpc.deb
- Sun Sparc:
- http://security.debian.org/pool/updates/main/c/curl/curl_7.18.2-8lenny4_sparc.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl4-gnutls-dev_7.18.2-8lenny4_sparc.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl4-openssl-dev_7.18.2-8lenny4_sparc.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls_7.18.2-8lenny4_sparc.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.18.2-8lenny4_sparc.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.18.2-8lenny4_sparc.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl4-gnutls-dev_7.18.2-8lenny4_sparc.deb
MD5 checksums of the listed files are available in the original advisory.