Bug#705340: marked as done (tpu: curl/7.26.0-1+wheezy2)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Sat, 13 Apr 2013 15:40:17 +0100
with message-id <1365864017.4627.36.camel@jacala.jungle.funky-badger.org>
and subject line Re: Bug#705340: tpu: curl/7.26.0-1+wheezy2
has caused the Debian Bug report #705340,
regarding tpu: curl/7.26.0-1+wheezy2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
705340: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=705340
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: tpu: curl/7.26.0-1+wheezy2
• From: Salvatore Bonaccorso <carnil@debian.org>
• Date: Sat, 13 Apr 2013 12:22:42 +0200
• Message-id: <[🔎] 20130413102242.12922.77853.reportbug@elende.valinor.li>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Hi Release Team

I would like to upload curl/7.26.0-1+wheezy2 via t-p-u fixing
#705274 (CVE-2013-1944). Attached is the prepared debdiff for
this.

In case you wonder why not Alessandro did the uploads: Alessandro
contacted comaintainers and security team if we can do the uploads.

Does it looks also okay to you? Can I proceed with the upload for
wheezy-proposed-updates? (would you prefer testing-proposed-updates
instead?)

unblock curl/7.26.0-1+wheezy2

Many thanks for your work for the release!

Regards,
Salvatore

diff -Nru curl-7.26.0/debian/changelog curl-7.26.0/debian/changelog
--- curl-7.26.0/debian/changelog	2013-02-10 19:15:35.000000000 +0100
+++ curl-7.26.0/debian/changelog	2013-04-13 11:52:34.000000000 +0200
@@ -1,3 +1,15 @@
+curl (7.26.0-1+wheezy2) wheezy-proposed-updates; urgency=high
+
+  [ Alessandro Ghedini ]
+  * Fix cookie domain tailmatch as per CVE-2013-1944
+    http://curl.haxx.se/docs/adv_20130412.html (Closes: #705274)
+  * Set urgency=high accordingly
+
+  [ Salvatore Bonaccorso ]
+  * Add testcase for CVE-2013-1944
+
+ -- Alessandro Ghedini <ghedo@debian.org>  Wed, 10 Apr 2013 22:56:48 +0200
+
 curl (7.26.0-1+wheezy1) testing-proposed-updates; urgency=high
 
   * Fix buffer overflow when negotiating SMTP DIGEST-MD5 authentication
diff -Nru curl-7.26.0/debian/patches/06_curl-tailmatch-CVE-2013-1944.patch curl-7.26.0/debian/patches/06_curl-tailmatch-CVE-2013-1944.patch
--- curl-7.26.0/debian/patches/06_curl-tailmatch-CVE-2013-1944.patch	1970-01-01 01:00:00.000000000 +0100
+++ curl-7.26.0/debian/patches/06_curl-tailmatch-CVE-2013-1944.patch	2013-04-13 11:52:34.000000000 +0200
@@ -0,0 +1,51 @@
+From 5b1bca89609f67fcd27cea0e9f382c8c1caad041 Mon Sep 17 00:00:00 2001
+From: YAMADA Yasuharu <yasuharu.yamada@access-company.com>
+Date: Wed, 10 Apr 2013 11:22:09 +0200
+Subject: [PATCH] cookie: fix tailmatching to prevent cross-domain leakage
+
+Cookies set for 'example.com' could accidentaly also be sent by libcurl
+to the 'bexample.com' (ie with a prefix to the first domain name).
+
+ lib/cookie.c        |   24 +++++++++++++++++++-----
+ 2 files changed, 21 insertions(+), 6 deletions(-)
+
+diff --git a/lib/cookie.c b/lib/cookie.c
+index 4b9ec0b..a67204e 100644
+--- a/lib/cookie.c
++++ b/lib/cookie.c
+@@ -118,15 +118,29 @@ static void freecookie(struct Cookie *co)
+   free(co);
+ }
+ 
+-static bool tailmatch(const char *little, const char *bigone)
++static bool tailmatch(const char *cooke_domain, const char *hostname)
+ {
+-  size_t littlelen = strlen(little);
+-  size_t biglen = strlen(bigone);
++  size_t cookie_domain_len = strlen(cooke_domain);
++  size_t hostname_len = strlen(hostname);
+ 
+-  if(littlelen > biglen)
++  if(hostname_len < cookie_domain_len)
+     return FALSE;
+ 
+-  return Curl_raw_equal(little, bigone+biglen-littlelen) ? TRUE : FALSE;
++  if(!Curl_raw_equal(cooke_domain, hostname+hostname_len-cookie_domain_len))
++    return FALSE;
++
++  /* A lead char of cookie_domain is not '.'.
++     RFC6265 4.1.2.3. The Domain Attribute says:
++       For example, if the value of the Domain attribute is
++       "example.com", the user agent will include the cookie in the Cookie
++       header when making HTTP requests to example.com, www.example.com, and
++       www.corp.example.com.
++   */
++  if(hostname_len == cookie_domain_len)
++    return TRUE;
++  if('.' == *(hostname + hostname_len - cookie_domain_len - 1))
++    return TRUE;
++  return FALSE;
+ }
+ 
+ /*
+
diff -Nru curl-7.26.0/debian/patches/07_test1218-another-cookie-tailmatch-test.patch curl-7.26.0/debian/patches/07_test1218-another-cookie-tailmatch-test.patch
--- curl-7.26.0/debian/patches/07_test1218-another-cookie-tailmatch-test.patch	1970-01-01 01:00:00.000000000 +0100
+++ curl-7.26.0/debian/patches/07_test1218-another-cookie-tailmatch-test.patch	2013-04-13 11:52:34.000000000 +0200
@@ -0,0 +1,101 @@
+From 5c5e1a1cd206ad8feadaa83a37d0326ba45cf45d Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Wed, 10 Apr 2013 13:40:36 +0200
+Subject: [PATCH] test1218: another cookie tailmatch test
+
+... and make 1216 also verify it with a file input
+
+These tests verify commit 3604fde3d3c9b0d, the fix for the "cookie
+domain tailmatch" vulnerability. See
+http://curl.haxx.se/docs/adv_20130412.html
+---
+ tests/data/Makefile.am |    2 +-
+ tests/data/test1216    |    3 ++-
+ tests/data/test1218    |   61 ++++++++++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 64 insertions(+), 2 deletions(-)
+ create mode 100644 tests/data/test1218
+
+--- /dev/null
++++ b/tests/data/test1218
+@@ -0,0 +1,61 @@
++<testcase>
++<info>
++<keywords>
++HTTP
++HTTP GET
++HTTP proxy
++cookies
++</keywords>
++</info>
++
++# This test is very similar to 1216, only that it sets the cookies from the
++# first site instead of reading from a file
++<reply>
++<data>
++HTTP/1.1 200 OK
++Date: Tue, 25 Sep 2001 19:37:44 GMT
++Set-Cookie: domain=.example.fake; bug=fixed;
++Content-Length: 21
++
++This server says moo
++</data>
++</reply>
++
++# Client-side
++<client>
++<server>
++http
++</server>
++ <name>
++HTTP cookies and domains with same prefix
++ </name>
++ <command>
++http://example.fake/c/1218 http://example.fake/c/1218 http://bexample.fake/c/1218 -b nonexisting -x %HOSTIP:%HTTPPORT
++</command>
++</client>
++
++# Verify data after the test has been "shot"
++<verify>
++<strip>
++^User-Agent:.*
++</strip>
++<protocol>
++GET http://example.fake/c/1218 HTTP/1.1
++Host: example.fake
++Accept: */*
++Proxy-Connection: Keep-Alive
++
++GET http://example.fake/c/1218 HTTP/1.1
++Host: example.fake
++Accept: */*
++Proxy-Connection: Keep-Alive
++Cookie: bug=fixed
++
++GET http://bexample.fake/c/1218 HTTP/1.1
++Host: bexample.fake
++Accept: */*
++Proxy-Connection: Keep-Alive
++
++</protocol>
++</verify>
++</testcase>
+--- a/tests/data/Makefile.am
++++ b/tests/data/Makefile.am
+@@ -78,6 +78,7 @@
+ test1126 test1127 test1128 test1129 test1130 test1131 \
+ test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 \
+ test1208 test1209 test1210 test1211 \
++test1218 \
+ test1220 \
+ test1300 test1301 test1302 test1303 test1304 test1305	\
+ test1306 test1307 test1308 test1309 test1310 test1311 test1312 test1313 \
+--- a/tests/data/Makefile.in
++++ b/tests/data/Makefile.in
+@@ -337,6 +337,7 @@
+ test1126 test1127 test1128 test1129 test1130 test1131 \
+ test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 \
+ test1208 test1209 test1210 test1211 \
++test1218 \
+ test1220 \
+ test1300 test1301 test1302 test1303 test1304 test1305	\
+ test1306 test1307 test1308 test1309 test1310 test1311 test1312 test1313 \
diff -Nru curl-7.26.0/debian/patches/series curl-7.26.0/debian/patches/series
--- curl-7.26.0/debian/patches/series	2013-02-10 19:14:42.000000000 +0100
+++ curl-7.26.0/debian/patches/series	2013-04-13 11:52:34.000000000 +0200
@@ -3,6 +3,8 @@
 03_keep_symbols_compat.patch
 04_workaround_as_needed_bug.patch
 05_curl-sasl-CVE-2013-0249.patch
+06_curl-tailmatch-CVE-2013-1944.patch
+07_test1218-another-cookie-tailmatch-test.patch
 
 90_gnutls.patch
 99_nss.patch

--- End Message ---

--- Begin Message ---

• To: Salvatore Bonaccorso <carnil@debian.org>, 705340-done@bugs.debian.org
• Subject: Re: Bug#705340: tpu: curl/7.26.0-1+wheezy2
• From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
• Date: Sat, 13 Apr 2013 15:40:17 +0100
• Message-id: <1365864017.4627.36.camel@jacala.jungle.funky-badger.org>
• In-reply-to: <[🔎] 20130413130107.GA5618@elende>
• References: <[🔎] 20130413102242.12922.77853.reportbug@elende.valinor.li> <[🔎] 1365849484.4627.11.camel@jacala.jungle.funky-badger.org> <[🔎] 20130413130107.GA5618@elende>

On Sat, 2013-04-13 at 15:01 +0200, Salvatore Bonaccorso wrote:
> On Sat, Apr 13, 2013 at 11:38:04AM +0100, Adam D. Barratt wrote:
> > On Sat, 2013-04-13 at 12:22 +0200, Salvatore Bonaccorso wrote:
> > > I would like to upload curl/7.26.0-1+wheezy2 via t-p-u fixing
> > > #705274 (CVE-2013-1944). Attached is the prepared debdiff for
> > > this.
> > 
> > Please go ahead; thanks.
> 
> Uploaded, and thanks!

Unblocked; thanks.

Regards,

Adam

--- End Message ---