Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 536014 (CVE-2014-8150, CVE-2014-8151)

Summary: <net-misc/curl-7.45.0: URL request injection vulnerability in parseurlandfillconn() (CVE-2014-{8150,8151})
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: blueness, gregkh
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=1178692
Whiteboard: A3 [glsa cve]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2015-01-08 10:40:48 UTC 
From ${URL} :

libcurl upstream reports:

"""

When libcurl sends a request to a server via a HTTP proxy, it copies the entire URL into the 
request and sends if off.

If the given URL contains line feeds and carriage returns those will be sent along to the proxy 
too, which allows the program to for example send a separate HTTP request injected embedded in the 
URL.

Many programs allow some kind of external sources to set the URL or provide partial pieces for the 
URL to request, and if the URL (as received from the user) is not stripped good enough - this flaw 
allows malicious users to do additional requests in a way that was not intended, or to insert 
request headers into the request that the program didn't intend.

We are not aware of any public exploits of this flaw.

"""

External References:

http://curl.haxx.se/docs/adv_20150108B.html


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2015-01-17 21:36:33 UTC 
CVE-2014-8150 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8150):
  CRLF injection vulnerability in libcurl 6.0 through 7.x before 7.40.0, when
  using an HTTP proxy, allows remote attackers to inject arbitrary HTTP
  headers and conduct HTTP response splitting attacks via CRLF sequences in a
  URL.
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2015-01-18 03:17:08 UTC 
libcurl 7.40.0 makes sure that the URL passed to the proxy may never contain neither carriage returns nor line feeds characters.

A patch for this problem is available at:

http://curl.haxx.se/CVE-2014-8150.patch
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2016-07-01 05:28:07 UTC 
Patched code is present in >=net-misc/curl-7.45.0 source.

New GLSA request filed.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2017-01-19 19:26:35 UTC 
This issue was resolved and addressed in
 GLSA 201701-47 at https://security.gentoo.org/glsa/201701-47
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2017-01-19 19:30:28 UTC 
This issue was resolved and addressed in
 GLSA 201701-47 at https://security.gentoo.org/glsa/201701-47
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2017-01-19 19:31:25 UTC 
This issue was resolved and addressed in
 GLSA 201701-47 at https://security.gentoo.org/glsa/201701-47
by GLSA coordinator Thomas Deutschmann (whissi).