[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1120445: trixie-pu: package curl/8.14.1-2+deb13u2

Package: release.debian.org
Control: affects -1 + src:curl
X-Debbugs-Cc: curl@packages.debian.org
User: release.debian.org@packages.debian.org
Usertags: pu
Tags: trixie
Severity: normal

[ Reason ]

Fix CVE-2025-11563, the previously accepted deb13u1 had an incomplete fix.

The problem comes from upstream, which merged another commit to correctly fix
the CVE.

This upload carries the upstream fix.

It's important to get this staged for the next point release, so we don't
publish deb13u1 which incorrectly claims to fix the CVE.

[ Impact ]

- CVE-2025-11563 is a path traversal vulnerability where users might end up
  with the downloaded files placed in a folder outside of the current working
  directory unintentionally.
- deb13u1 claims to have fixed this CVE but it's not correct, it's important to
  ship deb13u2 in the same point release to avoid having the incomplete fix
  published.

[ Tests ]

I've manually confirmed the fix works.

Upstream has unit tests confirming it as well, those were broken and got fixed
upstream.

[ Risks ]

This is a single-line change on the patch for CVE-2025-11563.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Import upstream changes from https://github.com/curl/wcurl/pull/75

[ Other info ]
Given the importance of getting this into the next point release, I'm uploading
the package before the confirmation from the release team. I'm assuming this is
ok given the release team has the choice of rejecting the package.

Regards,

--
Samuel Henrique <samueloph>

diff -Nru curl-8.14.1/debian/changelog curl-8.14.1/debian/changelog
--- curl-8.14.1/debian/changelog	2025-10-05 14:03:32.000000000 -0700
+++ curl-8.14.1/debian/changelog	2025-11-09 06:49:56.000000000 -0800
@@ -1,3 +1,10 @@
+curl (8.14.1-2+deb13u2) trixie; urgency=medium
+
+  * d/p/wcurl-CVE-2025-11563.patch: Pull upstream changes to actually fix
+    CVE-2025-11563
+
+ -- Samuel Henrique <samueloph@debian.org>  Sun, 09 Nov 2025 06:49:56 -0800
+
 curl (8.14.1-2+deb13u1) trixie; urgency=medium
 
   [ Alex ]
diff -Nru curl-8.14.1/debian/patches/wcurl-CVE-2025-11563.patch curl-8.14.1/debian/patches/wcurl-CVE-2025-11563.patch
--- curl-8.14.1/debian/patches/wcurl-CVE-2025-11563.patch	2025-10-05 14:03:32.000000000 -0700
+++ curl-8.14.1/debian/patches/wcurl-CVE-2025-11563.patch	2025-11-09 06:49:56.000000000 -0800
@@ -1,4 +1,3 @@
-From 524f7e733237cd26553dfd76adda521d3150d852 Mon Sep 17 00:00:00 2001
 From: Samuel Henrique <samueloph@debian.org>
 Date: Sun, 12 Oct 2025 14:39:46 +0100
 Subject: [PATCH] Don't percent-decode '/' and '\' in output file name
@@ -12,12 +11,14 @@
  * Swap placement of logical AND (&&) operator in conditions of the if
    statement to match the new approach; i.e.; they are written in the beginning
    of the line instead of the end now.
+ * Pull fix from https://github.com/curl/wcurl/pull/75, prefixing values
+   in UNSAFE_PERCENT_ENCODE with "%".
 ---
  scripts/wcurl | 28 +++++++++++++++++++++++++---
  1 file changed, 25 insertions(+), 3 deletions(-)
 
 diff --git a/scripts/wcurl b/scripts/wcurl
-index 84b981a..3d768a1 100755
+index 84b981a..a70c3b8 100755
 --- a/scripts/wcurl
 +++ b/scripts/wcurl
 @@ -113,6 +113,13 @@ readonly PER_URL_PARAMETERS="\
@@ -29,7 +30,7 @@
 +# characters.
 +# 2F = /
 +# 5C = \
-+readonly UNSAFE_PERCENT_ENCODE="2F 5C"
++readonly UNSAFE_PERCENT_ENCODE="%2F %5C"
 +
  # Whether to invoke curl or not.
  DRY_RUN="false"
Reply to: