|Summary:||net-misc/curl <7.10.5; 7.19.7> data callback excessive length (CVE-2010-0734)|
|Product:||Gentoo Security||Reporter:||Petr Pisar <petr.pisar>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Severity:||normal||CC:||dragonheart, jaak, spatz|
|Package list:||Runtime testing required:||---|
|Bug Depends on:||315507|
Description Petr Pisar 2010-03-09 13:35:22 UTC
curl versions between 7.10.5 and 7.19.7 inclusive contains security flaw than can cause buffer overflow in an application. The application must download compressed data, must request in-library decompression and must rely on compile-time constant CURL_MAX_WRITE_SIZE. Upstream provides patch and new unaffected version 7.20.0. Reproducible: Always Steps to Reproduce:
Comment 1 Stefan Behte (RETIRED) 2010-03-18 00:17:45 UTC
Please provide an updated ebuild.
Comment 2 Petr Pisar 2010-03-18 07:59:21 UTC
Created attachment 224071 [details, diff] Security patch released by upstream This FILESDIR file fixes bug in <=curl-7.19*
Comment 3 Petr Pisar 2010-03-18 08:02:20 UTC
Created attachment 224073 [details, diff] Fix for 7.19* Updated ebuild for curl-7.19*. Requires files/libcurl-contentencoding.patch.
Comment 4 Petr Pisar 2010-03-18 08:04:00 UTC
~net-misc/curl-7.20.0 has been put into portage meanwhile. These ebuilds are not affected.
Comment 5 Stefan Behte (RETIRED) 2010-03-18 18:40:09 UTC
Is it ok to go stable?
Comment 6 Petr Pisar 2010-03-18 19:12:10 UTC
(In reply to comment #5) > Is it ok to go stable? > If it's question to me, then I'll say I have no problem (net-misc/curl-7.20.0-r1 (idn ipv6 ssl) on x86). According libcurl mailing list, there are some issues on win32, Darwin, VMS and OS400. However no Linux or functionality issues specific for this release.
Comment 7 Tobias Heinlein (RETIRED) 2010-03-18 19:21:57 UTC
(In reply to comment #6) > (In reply to comment #5) > > Is it ok to go stable? > > > If it's question to me, then I'll say I have no problem It was targeted at the maintainers of the curl package. So unless you are one, no. Thanks for your input anyway. dragonheart, is it ok to go stable?
Comment 8 Daniel Black (RETIRED) 2010-03-21 04:03:29 UTC
Sorry folks been really busy. Thanks Petr for looking up the background info. Based on what I've seen and trust in the upstream developer I'm happy for 7.20.0-r1 to go stable. Also happy for backported patches to be added.
Comment 9 Alex Legler (RETIRED) 2010-03-31 19:46:04 UTC
CVE-2010-0734 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0734): content_encoding.c in libcurl 7.10.5 through 7.19.7, when zlib is enabled, does not properly restrict the amount of callback data sent to an application that requests automatic decompression, which might allow remote attackers to cause a denial of service (application crash) or have unspecified other impact by sending crafted compressed data to an application that relies on the intended data-length limit.
Comment 10 Dror Levin (RETIRED) 2010-07-01 20:53:32 UTC
Remaining arches, please stabilize ASAP.
Comment 11 Raúl Porcel (RETIRED) 2010-07-03 14:09:54 UTC
Comment 12 Tim Sammut (RETIRED) 2011-01-02 04:07:48 UTC
Thanks, folks. GLSA request filed.
Comment 13 GLSAMaker/CVETool Bot 2012-03-06 01:29:51 UTC
This issue was resolved and addressed in GLSA 201203-02 at http://security.gentoo.org/glsa/glsa-201203-02.xml by GLSA coordinator Sean Amoss (ackle).