Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 949330 (CVE-2025-0167, CVE-2025-0665, CVE-2025-0725)

Summary: <net-misc/curl-8.12.0: multiple vulnerabilities
Product: Gentoo Security Reporter: Matt Jolly <kangie>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: normal CC: ajak, base-system, hydrapolic, kangie
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://curl.se/docs/security.html
Whiteboard: B3 [glsa?]
Package list:
Runtime testing required: ---
Bug Depends on: 951581    
Bug Blocks:    

Description Matt Jolly gentoo-dev 2025-02-05 08:45:40 UTC 
Curl 8.12.0 (already in-tree) contains fixes for the following CVEs:

CVE-2025-0725: gzip integer overflow 
CVE-2025-0665: eventfd double close
CVE-2025-0167: netrc and default credential leak
Comment 1 Tomáš Mózes 2025-02-10 08:56:27 UTC 
https://github.com/curl/curl/discussions/16259
Comment 2 Tomáš Mózes 2025-02-13 07:41:58 UTC 
8.12.1 is out: https://github.com/curl/curl/releases/tag/curl-8_12_1
Comment 3 Tomáš Mózes 2025-02-14 12:25:59 UTC 
8.12.1 looks better, the regression from 8.12.0 is gone (at least our use case).
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2025-02-14 12:26:03 UTC 
commit 893edb6df0a8cbe0902fb4b6d3e8f09a782fd349 (origin/master, origin/HEAD)
Author: Matt Jolly <kangie@gentoo.org>
Date:   Fri Feb 14 22:12:34 2025 +1000

    net-misc/curl: add 8.12.1

    Signed-off-by: Matt Jolly <kangie@gentoo.org>
Comment 5 Larry the Git Cow gentoo-dev 2025-04-03 15:26:39 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d682a759788a14c1d3eea5bf48e0bff7d01f98d7

commit d682a759788a14c1d3eea5bf48e0bff7d01f98d7
Author:     Christopher Fore <csfore@posteo.net>
AuthorDate: 2025-03-30 23:15:21 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2025-04-03 15:25:59 +0000

    net-misc/curl: drop 8.11.1-r2
    
    Bug: https://bugs.gentoo.org/949330
    Signed-off-by: Christopher Fore <csfore@posteo.net>
    Closes: https://github.com/gentoo/gentoo/pull/41393
    Signed-off-by: Sam James <sam@gentoo.org>

 net-misc/curl/Manifest              |   2 -
 net-misc/curl/curl-8.11.1-r2.ebuild | 384 ------------------------------------
 2 files changed, 386 deletions(-)