Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 949330 (CVE-2025-0167, CVE-2025-0665, CVE-2025-0725) - <net-misc/curl-8.12.0: multiple vulnerabilities
Summary: <net-misc/curl-8.12.0: multiple vulnerabilities
Status: IN_PROGRESS
Alias: CVE-2025-0167, CVE-2025-0665, CVE-2025-0725
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://curl.se/docs/security.html
Whiteboard: B3 [glsa?]
Keywords:
Depends on: 951581
Blocks:
  Show dependency tree
 
Reported: 2025-02-05 08:45 UTC by Matt Jolly
Modified: 2025-04-03 17:55 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matt Jolly gentoo-dev 2025-02-05 08:45:40 UTC
Curl 8.12.0 (already in-tree) contains fixes for the following CVEs:

CVE-2025-0725: gzip integer overflow 
CVE-2025-0665: eventfd double close
CVE-2025-0167: netrc and default credential leak
Comment 1 Tomáš Mózes 2025-02-10 08:56:27 UTC
https://github.com/curl/curl/discussions/16259
Comment 2 Tomáš Mózes 2025-02-13 07:41:58 UTC
8.12.1 is out: https://github.com/curl/curl/releases/tag/curl-8_12_1
Comment 3 Tomáš Mózes 2025-02-14 12:25:59 UTC
8.12.1 looks better, the regression from 8.12.0 is gone (at least our use case).
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2025-02-14 12:26:03 UTC
commit 893edb6df0a8cbe0902fb4b6d3e8f09a782fd349 (origin/master, origin/HEAD)
Author: Matt Jolly <kangie@gentoo.org>
Date:   Fri Feb 14 22:12:34 2025 +1000

    net-misc/curl: add 8.12.1

    Signed-off-by: Matt Jolly <kangie@gentoo.org>
Comment 5 Larry the Git Cow gentoo-dev 2025-04-03 15:26:39 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d682a759788a14c1d3eea5bf48e0bff7d01f98d7

commit d682a759788a14c1d3eea5bf48e0bff7d01f98d7
Author:     Christopher Fore <csfore@posteo.net>
AuthorDate: 2025-03-30 23:15:21 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2025-04-03 15:25:59 +0000

    net-misc/curl: drop 8.11.1-r2
    
    Bug: https://bugs.gentoo.org/949330
    Signed-off-by: Christopher Fore <csfore@posteo.net>
    Closes: https://github.com/gentoo/gentoo/pull/41393
    Signed-off-by: Sam James <sam@gentoo.org>

 net-misc/curl/Manifest              |   2 -
 net-misc/curl/curl-8.11.1-r2.ebuild | 384 ------------------------------------
 2 files changed, 386 deletions(-)