Bug#774900: unblock: curl/7.38.0-4

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#774900: unblock: curl/7.38.0-4
From: Alessandro Ghedini <ghedo@debian.org>
Date: Thu, 08 Jan 2015 21:09:55 +0100
Message-id: <[🔎] 20150108200955.4000.51952.reportbug@kronk.local>
Reply-to: Alessandro Ghedini <ghedo@debian.org>, 774900@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package curl, it provides a patch for CVE-2014-8150.

See attached debdiff.

unblock curl/7.38.0-4

-- System Information:
Debian Release: 8.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

diff -Nru curl-7.38.0/debian/changelog curl-7.38.0/debian/changelog
--- curl-7.38.0/debian/changelog	2014-11-06 11:40:27.000000000 +0100
+++ curl-7.38.0/debian/changelog	2015-01-08 10:47:32.000000000 +0100
@@ -1,3 +1,11 @@
+curl (7.38.0-4) unstable; urgency=high
+
+  * Fix URL request injection vulnerability as per CVE-2014-8150
+    http://curl.haxx.se/docs/adv_20150108B.html
+  * Set urgency=high accordingly
+
+ -- Alessandro Ghedini <ghedo@debian.org>  Thu, 08 Jan 2015 10:47:24 +0100
+
 curl (7.38.0-3) unstable; urgency=high
 
   * Enable all hardening options (Closes: #763372)
diff -Nru curl-7.38.0/debian/patches/12_CVE-2014-8150.patch curl-7.38.0/debian/patches/12_CVE-2014-8150.patch
--- curl-7.38.0/debian/patches/12_CVE-2014-8150.patch	1970-01-01 01:00:00.000000000 +0100
+++ curl-7.38.0/debian/patches/12_CVE-2014-8150.patch	2015-01-08 10:47:32.000000000 +0100
@@ -0,0 +1,27 @@
+From 4e2ac2afa94f014a2a015c48c678e2367a63ae82 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 25 Dec 2014 23:55:03 +0100
+Subject: [PATCH] url-parsing: reject CRLFs within URLs
+
+Bug: http://curl.haxx.se/docs/adv_20150108B.html
+Reported-by: Andrey Labunets
+---
+ lib/url.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -3784,6 +3784,13 @@
+ 
+   *prot_missing = FALSE;
+ 
++  /* We might pass the entire URL into the request so we need to make sure
++   * there are no bad characters in there.*/
++  if(strpbrk(data->change.url, "\r\n")) {
++    failf(data, "Illegal characters found in URL");
++    return CURLE_URL_MALFORMAT;
++  }
++
+   /*************************************************************
+    * Parse the URL.
+    *
diff -Nru curl-7.38.0/debian/patches/series curl-7.38.0/debian/patches/series
--- curl-7.38.0/debian/patches/series	2014-11-06 11:40:27.000000000 +0100
+++ curl-7.38.0/debian/patches/series	2015-01-08 10:47:32.000000000 +0100
@@ -8,6 +8,7 @@
 09_libtoolize_check.patch
 10_fix-resolver.patch
 11_CVE-2014-3707.patch
+12_CVE-2014-8150.patch
 
 # do not add patches below
 90_gnutls.patch

Reply to:

Follow-Ups:
- Bug#774900: marked as done (unblock: curl/7.38.0-4)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#774880: nmu: maya-calendar_0.3-1~experimental1
Next by Date: Bug#774878: marked as done (unblock: libetpan/1.5-2)
Previous by thread: Bug#774880: marked as done (nmu: maya-calendar_0.3-1~experimental1)
Next by thread: Bug#774900: marked as done (unblock: curl/7.38.0-4)
Index(es):
- Date
- Thread