[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1120445: marked as done (trixie-pu: package curl/8.14.1-2+deb13u2)

Your message dated Sat, 15 Nov 2025 11:21:45 +0000
with message-id <736c7150dc08501cc89945035c406eaf9688e144.camel@adam-barratt.org.uk>
and subject line Closing requests for updates included in 13.2
has caused the Debian Bug report #1120445,
regarding trixie-pu: package curl/8.14.1-2+deb13u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1120445: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1120445
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Control: affects -1 + src:curl
X-Debbugs-Cc: curl@packages.debian.org
User: release.debian.org@packages.debian.org
Usertags: pu
Tags: trixie
Severity: normal

[ Reason ]

Fix CVE-2025-11563, the previously accepted deb13u1 had an incomplete fix.

The problem comes from upstream, which merged another commit to correctly fix
the CVE.

This upload carries the upstream fix.

It's important to get this staged for the next point release, so we don't
publish deb13u1 which incorrectly claims to fix the CVE.

[ Impact ]

- CVE-2025-11563 is a path traversal vulnerability where users might end up
  with the downloaded files placed in a folder outside of the current working
  directory unintentionally.
- deb13u1 claims to have fixed this CVE but it's not correct, it's important to
  ship deb13u2 in the same point release to avoid having the incomplete fix
  published.

[ Tests ]

I've manually confirmed the fix works.

Upstream has unit tests confirming it as well, those were broken and got fixed
upstream.

[ Risks ]

This is a single-line change on the patch for CVE-2025-11563.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Import upstream changes from https://github.com/curl/wcurl/pull/75

[ Other info ]
Given the importance of getting this into the next point release, I'm uploading
the package before the confirmation from the release team. I'm assuming this is
ok given the release team has the choice of rejecting the package.

Regards,

--
Samuel Henrique <samueloph>

diff -Nru curl-8.14.1/debian/changelog curl-8.14.1/debian/changelog
--- curl-8.14.1/debian/changelog	2025-10-05 14:03:32.000000000 -0700
+++ curl-8.14.1/debian/changelog	2025-11-09 06:49:56.000000000 -0800
@@ -1,3 +1,10 @@
+curl (8.14.1-2+deb13u2) trixie; urgency=medium
+
+  * d/p/wcurl-CVE-2025-11563.patch: Pull upstream changes to actually fix
+    CVE-2025-11563
+
+ -- Samuel Henrique <samueloph@debian.org>  Sun, 09 Nov 2025 06:49:56 -0800
+
 curl (8.14.1-2+deb13u1) trixie; urgency=medium
 
   [ Alex ]
diff -Nru curl-8.14.1/debian/patches/wcurl-CVE-2025-11563.patch curl-8.14.1/debian/patches/wcurl-CVE-2025-11563.patch
--- curl-8.14.1/debian/patches/wcurl-CVE-2025-11563.patch	2025-10-05 14:03:32.000000000 -0700
+++ curl-8.14.1/debian/patches/wcurl-CVE-2025-11563.patch	2025-11-09 06:49:56.000000000 -0800
@@ -1,4 +1,3 @@
-From 524f7e733237cd26553dfd76adda521d3150d852 Mon Sep 17 00:00:00 2001
 From: Samuel Henrique <samueloph@debian.org>
 Date: Sun, 12 Oct 2025 14:39:46 +0100
 Subject: [PATCH] Don't percent-decode '/' and '\' in output file name
@@ -12,12 +11,14 @@
  * Swap placement of logical AND (&&) operator in conditions of the if
    statement to match the new approach; i.e.; they are written in the beginning
    of the line instead of the end now.
+ * Pull fix from https://github.com/curl/wcurl/pull/75, prefixing values
+   in UNSAFE_PERCENT_ENCODE with "%".
 ---
  scripts/wcurl | 28 +++++++++++++++++++++++++---
  1 file changed, 25 insertions(+), 3 deletions(-)
 
 diff --git a/scripts/wcurl b/scripts/wcurl
-index 84b981a..3d768a1 100755
+index 84b981a..a70c3b8 100755
 --- a/scripts/wcurl
 +++ b/scripts/wcurl
 @@ -113,6 +113,13 @@ readonly PER_URL_PARAMETERS="\
@@ -29,7 +30,7 @@
 +# characters.
 +# 2F = /
 +# 5C = \
-+readonly UNSAFE_PERCENT_ENCODE="2F 5C"
++readonly UNSAFE_PERCENT_ENCODE="%2F %5C"
 +
  # Whether to invoke curl or not.
  DRY_RUN="false"

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 13.2

Hi,

The updates referenced in each of these bugs were included in today's
13.2 trixie point release.

Regards,

Adam

--- End Message ---
Reply to: