[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Accepted curl 7.26.0-1+wheezy17 (source amd64) into oldstable

Hash: SHA512

Format: 1.8
Date: Thu, 10 Nov 2016 17:31:06 +0100
Source: curl
Binary: curl libcurl3 libcurl3-gnutls libcurl3-nss libcurl4-openssl-dev libcurl4-gnutls-dev libcurl4-nss-dev libcurl3-dbg
Architecture: source amd64
Version: 7.26.0-1+wheezy17
Distribution: wheezy-security
Urgency: high
Maintainer: Alessandro Ghedini <ghedo@debian.org>
Changed-By: Thorsten Alteholz <debian@alteholz.de>
 curl       - command line tool for transferring data with URL syntax
 libcurl3   - easy-to-use client-side URL transfer library (OpenSSL flavour)
 libcurl3-dbg - debugging symbols for libcurl (OpenSSL, GnuTLS and NSS flavours)
 libcurl3-gnutls - easy-to-use client-side URL transfer library (GnuTLS flavour)
 libcurl3-nss - easy-to-use client-side URL transfer library (NSS flavour)
 libcurl4-gnutls-dev - development files and documentation for libcurl (GnuTLS flavour)
 libcurl4-nss-dev - development files and documentation for libcurl (NSS flavour)
 libcurl4-openssl-dev - development files and documentation for libcurl (OpenSSL flavour)
 curl (7.26.0-1+wheezy17) wheezy-security; urgency=high
   * Non-maintainer upload by the LTS Team.
   * CVE-2016-8615
     If cookie state is written into a cookie jar file that is later read
     back and used for subsequent requests, a malicious HTTP server can
     inject new cookies for arbitrary domains into said cookie jar.
     The issue pertains to the function that loads cookies into memory, which
     reads the specified file into a fixed-size buffer in a line-by-line
     manner using the `fgets()` function. If an invocation of fgets() cannot
     read the whole line into the destination buffer due to it being too
     small, it truncates the output.
     This way, a very long cookie (name + value) sent by a malicious server
     would be stored in the file and subsequently that cookie could be read
     partially and crafted correctly, it could be treated as a different
     cookie for another server.
   * CVE-2016-8616
     When re-using a connection, curl was doing case insensitive comparisons
     of user name and password with the existing connections.
     This means that if an unused connection with proper credentials exists
     for a protocol that has connection-scoped credentials, an attacker can
     cause that connection to be reused if s/he knows the case-insensitive
     version of the correct password.
   * CVE-2016-8617
     In libcurl's base64 encode function, the output buffer is allocated
     as follows without any checks on insize:
        malloc( insize * 4 / 3 + 4 )
     On systems with 32-bit addresses in userspace (e.g. x86, ARM, x32),
     the multiplication in the expression wraps around if insize is at
     least 1GB of data. If this happens, an undersized output buffer will
     be allocated, but the full result will be written, thus causing the
     memory behind the output buffer to be overwritten.
     Systems with 64 bit versions of the `size_t` type are not affected
     by this issue.
   * CVE-2016-8618
     The libcurl API function called `curl_maprintf()` can be tricked into
     doing a double-free due to an unsafe `size_t` multiplication, on
     systems using 32 bit `size_t` variables. The function is also used
     internallty in numerous situations.
     Systems with 64 bit versions of the `size_t` type are not affected
     by this issue.
   * CVE-2016-8619
     In curl's implementation of the Kerberos authentication mechanism,
     the function `read_data()` in security.c is used to fill the
     necessary krb5 structures. When reading one of the length fields from
     the socket, it fails to ensure that the length parameter passed to
     realloc() is not set to 0.
   * CVE-2016-8621
     The `curl_getdate` converts a given date string into a numerical
     timestamp and it supports a range of different formats and
     possibilites to express a date and time. The underlying date
     parsing function is also used internally when parsing for example
     HTTP cookies (possibly received from remote servers) and it can be
     used when doing conditional HTTP requests.
   * CVE-2016-8622
     The URL percent-encoding decode function in libcurl is called
     `curl_easy_unescape`. Internally, even if this function would be
     made to allocate a unscape destination buffer larger than 2GB, it
     would return that new length in a signed 32 bit integer variable,
     thus the length would get either just truncated or both truncated
     and turned negative. That could then lead to libcurl writing outside
     of its heap based buffer.
   * CVE-2016-8623 9/11 curl Use-after-free via shared cookies
     libcurl explicitly allows users to share cookies between multiple
     easy handles that are concurrently employed by different threads.
     When cookies to be sent to a server are collected, the matching
     function collects all cookies to send and the cookie lock is released
     immediately afterwards. That funcion however only returns a list with
     *references* back to the original strings for name, value, path and so
     on. Therefore, if another thread quickly takes the lock and frees one
     of the original cookie structs together with its strings,
     a use-after-free can occur and lead to information disclosure. Another
     thread can also replace the contents of the cookies from separate HTTP
     responses or API calls.
   * CVE-2016-8624 10/11 curl invalid URL parsing with '#'
     curl doesn't parse the authority component of the URL correctly when
     the host name part ends with a '#' character, and could instead be
     tricked into connecting to a different host. This may have security
     implications if you for example use an URL parser that follows the RFC
     to check for allowed domains before using curl to request them.
 b111b030f4b7c0083c487aaff2f2f09570c5d69f 2693 curl_7.26.0-1+wheezy17.dsc
 66e1fd0312f62374b96fe02e644f66202fd6324b 3073624 curl_7.26.0.orig.tar.gz
 409ddfa08f185b914804b7181555f9cbc5834fab 63572 curl_7.26.0-1+wheezy17.debian.tar.gz
 5c972ee44b31b9ecfa109973fa0bb215a44b7ebb 272596 curl_7.26.0-1+wheezy17_amd64.deb
 b637b1b47c48da8d89d9559ca890abf0c91a70f2 334172 libcurl3_7.26.0-1+wheezy17_amd64.deb
 dbfe7cf16c9503c98f4a520c9a3b9e3b209a6d42 325386 libcurl3-gnutls_7.26.0-1+wheezy17_amd64.deb
 ac17a854a288f22fefe615eca8e3c97d986a3939 331908 libcurl3-nss_7.26.0-1+wheezy17_amd64.deb
 a3eb342992c53155b0989c196ce2ce83c3fd63b5 1276094 libcurl4-openssl-dev_7.26.0-1+wheezy17_amd64.deb
 687aa4d9b65ca6902d39f46dcffb159f0f101622 1265144 libcurl4-gnutls-dev_7.26.0-1+wheezy17_amd64.deb
 eadc425b06d6235b807aa1b0fc955ff2c99dea93 1272604 libcurl4-nss-dev_7.26.0-1+wheezy17_amd64.deb
 9c1603f0b5f92cd11f4cfc7faa040a3fd879b0db 3310262 libcurl3-dbg_7.26.0-1+wheezy17_amd64.deb
 bb86b101983e60c2a64e389a43e8f82b359a36fe111b0da22457cca879f64030 2693 curl_7.26.0-1+wheezy17.dsc
 79ccce9edb8aee17d20ad4d75e1f83a789f8c2e71e68f468e1bf8abf8933193f 3073624 curl_7.26.0.orig.tar.gz
 48f3a78410b5aba7a7a2b43bdef2a5bc3b674ba01ea96e98d792d7dea43de61f 63572 curl_7.26.0-1+wheezy17.debian.tar.gz
 fc0eb6045151e3346a433c199a7aa66e90e4137d243d48ccfe858284a8bfd5aa 272596 curl_7.26.0-1+wheezy17_amd64.deb
 37627a829fef55ecb2018384910f2cad519cfbd2fcb7a5b16226bc95587b2cb1 334172 libcurl3_7.26.0-1+wheezy17_amd64.deb
 d4f5663471beda08ef7243e021982b3a3753d375f2186b70d6b024974257ecfe 325386 libcurl3-gnutls_7.26.0-1+wheezy17_amd64.deb
 eacf38e42d341ce6aacc509db2fa85d0d18e4bae410a071f20c63500b7bd67aa 331908 libcurl3-nss_7.26.0-1+wheezy17_amd64.deb
 c8651fa6595b0e0252b9ce2bbd1e8bb8417cc32c6532ae992e63a2e16cd16a90 1276094 libcurl4-openssl-dev_7.26.0-1+wheezy17_amd64.deb
 287b8f06478c38a44aacad0114d4e1ec3ba89ea191dfc7c9acc5a3a7557e921b 1265144 libcurl4-gnutls-dev_7.26.0-1+wheezy17_amd64.deb
 de10a5bf346338545617b5e47c8749a8e3676167ca860002ddf1786668f3adc8 1272604 libcurl4-nss-dev_7.26.0-1+wheezy17_amd64.deb
 a718464c89da7a2343252d7eab6452693429fe74d888695e194515685e932af5 3310262 libcurl3-dbg_7.26.0-1+wheezy17_amd64.deb
 fd754959527ec6ab2072c08af4e0aa8d 2693 web optional curl_7.26.0-1+wheezy17.dsc
 3fa4d5236f2a36ca5c3af6715e837691 3073624 web optional curl_7.26.0.orig.tar.gz
 ed41903ebb2e985aff9ebf175b13252f 63572 web optional curl_7.26.0-1+wheezy17.debian.tar.gz
 c510da83eb6e99e24090c6a0a718f709 272596 web optional curl_7.26.0-1+wheezy17_amd64.deb
 86559e946ace252f38a29606b6fed652 334172 libs optional libcurl3_7.26.0-1+wheezy17_amd64.deb
 4b38461bc4517bc456ef704c160d4999 325386 libs optional libcurl3-gnutls_7.26.0-1+wheezy17_amd64.deb
 f0ce50fa651bccc2c01adcace7f8fbbc 331908 libs optional libcurl3-nss_7.26.0-1+wheezy17_amd64.deb
 312aaee8c4ff6bf2e853f91782c99e44 1276094 libdevel optional libcurl4-openssl-dev_7.26.0-1+wheezy17_amd64.deb
 e72d15fc02db9a89ceb9182564e1d941 1265144 libdevel optional libcurl4-gnutls-dev_7.26.0-1+wheezy17_amd64.deb
 37a9215ae608cd16d0b32ed76c3a4002 1272604 libdevel optional libcurl4-nss-dev_7.26.0-1+wheezy17_amd64.deb
 54e778886e805d7cd25ba23c680caeb5 3310262 debug extra libcurl3-dbg_7.26.0-1+wheezy17_amd64.deb



Reply to: