Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 308645

Summary: net-misc/curl <7.10.5; 7.19.7> data callback excessive length (CVE-2010-0734)
Product: Gentoo Security Reporter: Petr Pisar <petr.pisar>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: dragonheart, jaak, spatz
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://curl.haxx.se/docs/adv_20100209.html
Whiteboard: B2 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 315507    
Bug Blocks:    
Attachments:
Description Flags
Security patch released by upstream
none
Fix for 7.19* none

Description Petr Pisar 2010-03-09 13:35:22 UTC 
curl versions between 7.10.5 and 7.19.7 inclusive contains security flaw than can cause buffer overflow in an application. The application must download compressed data, must request in-library decompression and must rely on compile-time constant CURL_MAX_WRITE_SIZE.

Upstream provides patch and new unaffected version 7.20.0.

Reproducible: Always

Steps to Reproduce:
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2010-03-18 00:17:45 UTC 
Please provide an updated ebuild.
Comment 2 Petr Pisar 2010-03-18 07:59:21 UTC 
Created attachment 224071 [details, diff]
Security patch released by upstream

This FILESDIR file fixes bug in <=curl-7.19*
Comment 3 Petr Pisar 2010-03-18 08:02:20 UTC 
Created attachment 224073 [details, diff]
Fix for 7.19*

Updated ebuild for curl-7.19*. Requires files/libcurl-contentencoding.patch.
Comment 4 Petr Pisar 2010-03-18 08:04:00 UTC 
~net-misc/curl-7.20.0 has been put into portage meanwhile. These ebuilds are not affected.
Comment 5 Stefan Behte (RETIRED) gentoo-dev Security 2010-03-18 18:40:09 UTC 
Is it ok to go stable?
Comment 6 Petr Pisar 2010-03-18 19:12:10 UTC 
(In reply to comment #5)
> Is it ok to go stable?
> 
If it's question to me, then I'll say I have no problem (net-misc/curl-7.20.0-r1 (idn ipv6 ssl) on x86).

According libcurl mailing list, there are some issues on win32, Darwin, VMS and OS400. However no Linux or functionality issues specific for this release.
Comment 7 Tobias Heinlein (RETIRED) gentoo-dev 2010-03-18 19:21:57 UTC 
(In reply to comment #6)
> (In reply to comment #5)
> > Is it ok to go stable?
> > 
> If it's question to me, then I'll say I have no problem

It was targeted at the maintainers of the curl package. So unless you are one, no. Thanks for your input anyway.

dragonheart, is it ok to go stable?
Comment 8 Daniel Black (RETIRED) gentoo-dev 2010-03-21 04:03:29 UTC 
Sorry folks been really busy. Thanks Petr for looking up the background info.

Based on what I've seen and trust in the upstream developer I'm happy for 7.20.0-r1 to go stable.

Also happy for backported patches to be added.
Comment 9 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-03-31 19:46:04 UTC 
CVE-2010-0734 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0734):
  content_encoding.c in libcurl 7.10.5 through 7.19.7, when zlib is
  enabled, does not properly restrict the amount of callback data sent
  to an application that requests automatic decompression, which might
  allow remote attackers to cause a denial of service (application
  crash) or have unspecified other impact by sending crafted compressed
  data to an application that relies on the intended data-length limit.
Comment 10 Dror Levin (RETIRED) gentoo-dev 2010-07-01 20:53:32 UTC 
Remaining arches, please stabilize ASAP.
Comment 11 Raúl Porcel (RETIRED) gentoo-dev 2010-07-03 14:09:54 UTC 
alpha/arm/ia64/s390/sh/sparc stable
Comment 12 Tim Sammut (RETIRED) gentoo-dev 2011-01-02 04:07:48 UTC 
Thanks, folks. GLSA request filed.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2012-03-06 01:29:51 UTC 
This issue was resolved and addressed in
 GLSA 201203-02 at http://security.gentoo.org/glsa/glsa-201203-02.xml
by GLSA coordinator Sean Amoss (ackle).