Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 465678 (CVE-2013-1944) - <net-misc/curl-7.30.0: Cookie domain suffix match vulnerability (CVE-2013-1944)
Summary: <net-misc/curl-7.30.0: Cookie domain suffix match vulnerability (CVE-2013-1944)
Status: RESOLVED FIXED
Alias: CVE-2013-1944
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: A4 [glsa]
Keywords:
: 466298 (view as bug list)
Depends on:
Blocks:
 
Reported: 2013-04-12 13:10 UTC by Agostino Sarubbo
Modified: 2014-01-20 14:11 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-04-12 13:10:08 UTC
From ${URL} :

A security flaw was found in the way the library of cURL, an utility for retrieval of files from 
remote servers, performed match of cookie domain names when making a decision if (previously stored 
cookies) should be sent to particular domain. Due to a bug in match function implementation, 
(formerly) the decision / match succeeded also in cases, where just suffix / certain part of the 
domain name matched the domain name, the current request originated from. A remote attacker could 
use this flaw to possibly hijack the user session of the victim by submitting a request containing 
a specially-crafted domain name.

References:
[1] http://thread.gmane.org/gmane.comp.web.curl.library/38986


@maintainer(s): after the bump, please say explicitly if the package is ready for the stabilization or not
Comment 1 Anthony Basile gentoo-dev 2013-04-17 22:56:46 UTC
curl-7.30.0 is on the tree.
Comment 2 Alex Legler (RETIRED) archtester gentoo-dev Security 2013-04-18 11:36:46 UTC
*** Bug 466298 has been marked as a duplicate of this bug. ***
Comment 3 Alex Legler (RETIRED) archtester gentoo-dev Security 2013-04-18 11:40:08 UTC
(In reply to comment #1)
> curl-7.30.0 is on the tree.

…and ready to go stable?
Comment 4 Anthony Basile gentoo-dev 2013-04-18 14:44:32 UTC
(In reply to comment #3)
> (In reply to comment #1)
> > curl-7.30.0 is on the tree.
> 
> …and ready to go stable?

I have tested, but this would be a rapid stabilization with all the dangers that entails.  Given that this is a minor security risk, I'd prefer to wait.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2013-05-09 12:04:15 UTC
CVE-2013-1944 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1944):
  The tailMatch function in cookie.c in cURL and libcurl before 7.30.0 does
  not properly match the path domain when sending cookies, which allows remote
  attackers to steal cookies via a matching suffix in the domain of a URL.
Comment 6 Anthony Basile gentoo-dev 2013-05-09 23:55:38 UTC
Okay let's shoot for stabilization: 

KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2013-05-10 15:59:38 UTC
Stable for HPPA.
Comment 8 Agostino Sarubbo gentoo-dev 2013-05-11 10:38:06 UTC
amd64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2013-05-11 11:02:55 UTC
x86 stable
Comment 10 Agostino Sarubbo gentoo-dev 2013-05-11 11:07:53 UTC
alpha stable
Comment 11 Agostino Sarubbo gentoo-dev 2013-05-11 11:09:11 UTC
arm stable
Comment 12 Agostino Sarubbo gentoo-dev 2013-05-11 11:10:15 UTC
ia64 stable
Comment 13 Agostino Sarubbo gentoo-dev 2013-05-11 11:11:10 UTC
ppc64 stable
Comment 14 Agostino Sarubbo gentoo-dev 2013-05-11 11:11:55 UTC
ppc stable
Comment 15 Agostino Sarubbo gentoo-dev 2013-05-11 11:13:24 UTC
sparc stable
Comment 16 Agostino Sarubbo gentoo-dev 2013-05-26 06:44:02 UTC
s390 stable
Comment 17 Agostino Sarubbo gentoo-dev 2013-06-09 16:02:05 UTC
sh stable
Comment 18 Chris Reffett (RETIRED) gentoo-dev Security 2013-09-11 04:05:39 UTC
GLSA vote: no.
Comment 19 Sergey Popov gentoo-dev 2013-10-16 09:50:02 UTC
Added to existing GLSA draft
Comment 20 GLSAMaker/CVETool Bot gentoo-dev 2014-01-20 14:11:24 UTC
This issue was resolved and addressed in
 GLSA 201401-14 at http://security.gentoo.org/glsa/glsa-201401-14.xml
by GLSA coordinator Sergey Popov (pinkbyte).