Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 308645 - net-misc/curl <7.10.5; 7.19.7> data callback excessive length (CVE-2010-0734)
Summary: net-misc/curl <7.10.5; 7.19.7> data callback excessive length (CVE-2010-0734)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://curl.haxx.se/docs/adv_20100209...
Whiteboard: B2 [glsa]
Keywords:
Depends on: 315507
Blocks:
  Show dependency tree
 
Reported: 2010-03-09 13:35 UTC by Petr Pisar
Modified: 2012-03-06 01:29 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
Security patch released by upstream (libcurl-contentencoding.patch,628 bytes, patch)
2010-03-18 07:59 UTC, Petr Pisar
no flags Details | Diff
Fix for 7.19* (curl-7.19.7.ebuild.diff,439 bytes, patch)
2010-03-18 08:02 UTC, Petr Pisar
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Petr Pisar 2010-03-09 13:35:22 UTC
curl versions between 7.10.5 and 7.19.7 inclusive contains security flaw than can cause buffer overflow in an application. The application must download compressed data, must request in-library decompression and must rely on compile-time constant CURL_MAX_WRITE_SIZE.

Upstream provides patch and new unaffected version 7.20.0.

Reproducible: Always

Steps to Reproduce:
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2010-03-18 00:17:45 UTC
Please provide an updated ebuild.
Comment 2 Petr Pisar 2010-03-18 07:59:21 UTC
Created attachment 224071 [details, diff]
Security patch released by upstream

This FILESDIR file fixes bug in <=curl-7.19*
Comment 3 Petr Pisar 2010-03-18 08:02:20 UTC
Created attachment 224073 [details, diff]
Fix for 7.19*

Updated ebuild for curl-7.19*. Requires files/libcurl-contentencoding.patch.
Comment 4 Petr Pisar 2010-03-18 08:04:00 UTC
~net-misc/curl-7.20.0 has been put into portage meanwhile. These ebuilds are not affected.
Comment 5 Stefan Behte (RETIRED) gentoo-dev Security 2010-03-18 18:40:09 UTC
Is it ok to go stable?
Comment 6 Petr Pisar 2010-03-18 19:12:10 UTC
(In reply to comment #5)
> Is it ok to go stable?
> 
If it's question to me, then I'll say I have no problem (net-misc/curl-7.20.0-r1 (idn ipv6 ssl) on x86).

According libcurl mailing list, there are some issues on win32, Darwin, VMS and OS400. However no Linux or functionality issues specific for this release.
Comment 7 Tobias Heinlein (RETIRED) gentoo-dev 2010-03-18 19:21:57 UTC
(In reply to comment #6)
> (In reply to comment #5)
> > Is it ok to go stable?
> > 
> If it's question to me, then I'll say I have no problem

It was targeted at the maintainers of the curl package. So unless you are one, no. Thanks for your input anyway.

dragonheart, is it ok to go stable?
Comment 8 Daniel Black (RETIRED) gentoo-dev 2010-03-21 04:03:29 UTC
Sorry folks been really busy. Thanks Petr for looking up the background info.

Based on what I've seen and trust in the upstream developer I'm happy for 7.20.0-r1 to go stable.

Also happy for backported patches to be added.
Comment 9 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-03-31 19:46:04 UTC
CVE-2010-0734 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0734):
  content_encoding.c in libcurl 7.10.5 through 7.19.7, when zlib is
  enabled, does not properly restrict the amount of callback data sent
  to an application that requests automatic decompression, which might
  allow remote attackers to cause a denial of service (application
  crash) or have unspecified other impact by sending crafted compressed
  data to an application that relies on the intended data-length limit.

Comment 10 Dror Levin (RETIRED) gentoo-dev 2010-07-01 20:53:32 UTC
Remaining arches, please stabilize ASAP.
Comment 11 Raúl Porcel (RETIRED) gentoo-dev 2010-07-03 14:09:54 UTC
alpha/arm/ia64/s390/sh/sparc stable
Comment 12 Tim Sammut (RETIRED) gentoo-dev 2011-01-02 04:07:48 UTC
Thanks, folks. GLSA request filed.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2012-03-06 01:29:51 UTC
This issue was resolved and addressed in
 GLSA 201203-02 at http://security.gentoo.org/glsa/glsa-201203-02.xml
by GLSA coordinator Sean Amoss (ackle).