Debians sikkerhedsbulletin
DSA-2023-1 curl -- bufferoverløb
- Rapporteret den:
- 28. mar 2010
- Berørte pakker:
- curl
- Sårbar:
- Ja
- Referencer i sikkerhedsdatabaser:
- I Mitres CVE-ordbog: CVE-2010-0734.
- Yderligere oplysninger:
-
Wesley Miaw opdagede at libcurl, et bibliotek til filoverførsler via flere protokoller, var ramt af et bufferoverløb via callback-funktionen, når en applikation forventede at libcurl automatisk udpakkede data. Bemærk at det kun påvirkede applikationer, der stoler på libcurls maksimumbegrænsning på en buffer af en uforanderlig størrelse og ikke selv udfører fornuftighedskontroller.
I den stabile distribution (lenny), er dette problem rettet i version 7.18.2-8lenny4.
På grund af et problem med arkiveringssoftwaren, kan vi ikke udgive til alle arkitekturer på samme tid. Binære filer til arkitekturerne hppa, ia64, mips, mipsel og s390 vil blive stillet til rådighed, når de er klar.
I distributionen testing (squeeze) og i den ustabile distribution (sid), er dette problem rettet i version 7.20.0-1.
Vi anbefaler at du opgraderer dine curl-pakker.
- Rettet i:
-
Debian GNU/Linux 5.0 (lenny)
- Kildekode:
- http://security.debian.org/pool/updates/main/c/curl/curl_7.18.2-8lenny4.dsc
- http://security.debian.org/pool/updates/main/c/curl/curl_7.18.2.orig.tar.gz
- http://security.debian.org/pool/updates/main/c/curl/curl_7.18.2-8lenny4.diff.gz
- http://security.debian.org/pool/updates/main/c/curl/curl_7.18.2.orig.tar.gz
- Alpha:
- http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls_7.18.2-8lenny4_alpha.deb
- http://security.debian.org/pool/updates/main/c/curl/curl_7.18.2-8lenny4_alpha.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl4-openssl-dev_7.18.2-8lenny4_alpha.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.18.2-8lenny4_alpha.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl4-gnutls-dev_7.18.2-8lenny4_alpha.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.18.2-8lenny4_alpha.deb
- http://security.debian.org/pool/updates/main/c/curl/curl_7.18.2-8lenny4_alpha.deb
- AMD64:
- http://security.debian.org/pool/updates/main/c/curl/libcurl4-gnutls-dev_7.18.2-8lenny4_amd64.deb
- http://security.debian.org/pool/updates/main/c/curl/curl_7.18.2-8lenny4_amd64.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls_7.18.2-8lenny4_amd64.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.18.2-8lenny4_amd64.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.18.2-8lenny4_amd64.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl4-openssl-dev_7.18.2-8lenny4_amd64.deb
- http://security.debian.org/pool/updates/main/c/curl/curl_7.18.2-8lenny4_amd64.deb
- ARM:
- http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.18.2-8lenny4_arm.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls_7.18.2-8lenny4_arm.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl4-gnutls-dev_7.18.2-8lenny4_arm.deb
- http://security.debian.org/pool/updates/main/c/curl/curl_7.18.2-8lenny4_arm.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.18.2-8lenny4_arm.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl4-openssl-dev_7.18.2-8lenny4_arm.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls_7.18.2-8lenny4_arm.deb
- ARM EABI:
- http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.18.2-8lenny4_armel.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl4-openssl-dev_7.18.2-8lenny4_armel.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl4-gnutls-dev_7.18.2-8lenny4_armel.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls_7.18.2-8lenny4_armel.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.18.2-8lenny4_armel.deb
- http://security.debian.org/pool/updates/main/c/curl/curl_7.18.2-8lenny4_armel.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl4-openssl-dev_7.18.2-8lenny4_armel.deb
- Intel IA-32:
- http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.18.2-8lenny4_i386.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.18.2-8lenny4_i386.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl4-openssl-dev_7.18.2-8lenny4_i386.deb
- http://security.debian.org/pool/updates/main/c/curl/curl_7.18.2-8lenny4_i386.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls_7.18.2-8lenny4_i386.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl4-gnutls-dev_7.18.2-8lenny4_i386.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.18.2-8lenny4_i386.deb
- PowerPC:
- http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.18.2-8lenny4_powerpc.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls_7.18.2-8lenny4_powerpc.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl4-openssl-dev_7.18.2-8lenny4_powerpc.deb
- http://security.debian.org/pool/updates/main/c/curl/curl_7.18.2-8lenny4_powerpc.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl4-gnutls-dev_7.18.2-8lenny4_powerpc.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.18.2-8lenny4_powerpc.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls_7.18.2-8lenny4_powerpc.deb
- Sun Sparc:
- http://security.debian.org/pool/updates/main/c/curl/curl_7.18.2-8lenny4_sparc.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl4-gnutls-dev_7.18.2-8lenny4_sparc.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl4-openssl-dev_7.18.2-8lenny4_sparc.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls_7.18.2-8lenny4_sparc.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.18.2-8lenny4_sparc.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.18.2-8lenny4_sparc.deb
- http://security.debian.org/pool/updates/main/c/curl/libcurl4-gnutls-dev_7.18.2-8lenny4_sparc.deb
MD5-kontrolsummer for de listede filer findes i den originale sikkerhedsbulletin.