Bug#774900: unblock: curl/7.38.0-4
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package curl, it provides a patch for CVE-2014-8150.
See attached debdiff.
unblock curl/7.38.0-4
-- System Information:
Debian Release: 8.0
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru curl-7.38.0/debian/changelog curl-7.38.0/debian/changelog
--- curl-7.38.0/debian/changelog 2014-11-06 11:40:27.000000000 +0100
+++ curl-7.38.0/debian/changelog 2015-01-08 10:47:32.000000000 +0100
@@ -1,3 +1,11 @@
+curl (7.38.0-4) unstable; urgency=high
+
+ * Fix URL request injection vulnerability as per CVE-2014-8150
+ http://curl.haxx.se/docs/adv_20150108B.html
+ * Set urgency=high accordingly
+
+ -- Alessandro Ghedini <ghedo@debian.org> Thu, 08 Jan 2015 10:47:24 +0100
+
curl (7.38.0-3) unstable; urgency=high
* Enable all hardening options (Closes: #763372)
diff -Nru curl-7.38.0/debian/patches/12_CVE-2014-8150.patch curl-7.38.0/debian/patches/12_CVE-2014-8150.patch
--- curl-7.38.0/debian/patches/12_CVE-2014-8150.patch 1970-01-01 01:00:00.000000000 +0100
+++ curl-7.38.0/debian/patches/12_CVE-2014-8150.patch 2015-01-08 10:47:32.000000000 +0100
@@ -0,0 +1,27 @@
+From 4e2ac2afa94f014a2a015c48c678e2367a63ae82 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 25 Dec 2014 23:55:03 +0100
+Subject: [PATCH] url-parsing: reject CRLFs within URLs
+
+Bug: http://curl.haxx.se/docs/adv_20150108B.html
+Reported-by: Andrey Labunets
+---
+ lib/url.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -3784,6 +3784,13 @@
+
+ *prot_missing = FALSE;
+
++ /* We might pass the entire URL into the request so we need to make sure
++ * there are no bad characters in there.*/
++ if(strpbrk(data->change.url, "\r\n")) {
++ failf(data, "Illegal characters found in URL");
++ return CURLE_URL_MALFORMAT;
++ }
++
+ /*************************************************************
+ * Parse the URL.
+ *
diff -Nru curl-7.38.0/debian/patches/series curl-7.38.0/debian/patches/series
--- curl-7.38.0/debian/patches/series 2014-11-06 11:40:27.000000000 +0100
+++ curl-7.38.0/debian/patches/series 2015-01-08 10:47:32.000000000 +0100
@@ -8,6 +8,7 @@
09_libtoolize_check.patch
10_fix-resolver.patch
11_CVE-2014-3707.patch
+12_CVE-2014-8150.patch
# do not add patches below
90_gnutls.patch
Reply to: