Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 260361 (CVE-2009-0037) - net-misc/curl <7.19.4 Arbitrary File Access (CVE-2009-0037)
Summary: net-misc/curl <7.19.4 Arbitrary File Access (CVE-2009-0037)
Status: RESOLVED FIXED
Alias: CVE-2009-0037
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://curl.haxx.se/mail/archive-2009...
Whiteboard: A3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2009-02-26 11:01 UTC by Robert Buchholz (RETIRED)
Modified: 2009-03-09 19:02 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
curl-7.19.3-r1.ebuild (curl-7.19.3-r1.ebuild,3.70 KB, text/plain)
2009-02-26 13:20 UTC, Daniel Black (RETIRED)
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2009-02-26 11:01:08 UTC
** Please note that this issue is confidential and no information should be
disclosed until it is made public, see "Whiteboard" for a date **

                          libcurl Arbitrary File Access
                        =============================

Project cURL Security Advisory, March 3rd 2009
http://curl.haxx.se/docs/security.html

1. VULNERABILITY

  When told to follow a "redirect" automatically, libcurl does not question
  the new target URL but will follow to any new URL that it understands. As
  libcurl supports FILE:// URLs, a rogue server can thus "trick" a
  libcurl-using application to read a local file instead of the remote one.

  This is a problem, for example, when the application is running on a server
  and is written to upload or to otherwise provide the transfered data to a
  user, to another server or to another application etc, as it can be used to
  expose local files it was not meant to.

  The problem can also be exploited for uploading, if the rogue server
  redirects the client to a local file and thus it would (over)write a local
  file instead of sending it to the server.

  libcurl compiled to support SCP can get tricked to get a file using embedded
  semicolons, which can lead to execution of commands on the given
  server. "Location: scp://name:passwd@host/a'``;date >/tmp/test``;'".

  Files on servers other than the one running libcurl are also accessible when
  credentials for those servers are stored in the .netrc file of the user
  running libcurl.  This is most common for FTP servers, but can occur with
  any protocol supported by libcurl.  Files on remote SSH servers are also
  accessible when when the user has an unencrypted SSH key.

  There is no known exploit at the time of this writing.

  The Common Vulnerabilities and Exposures (CVE) project has assigned the name
  CVE-2009-0037 to this issue.

2. AFFECTED VERSIONS

  Affected versions: curl and libcurl 5.11(!) to and including 7.19.3
  Not affected versions: curl and libcurl 5.10 and earlier, 7.19.4 and later

  Also note that (lib)curl is used by many applications, and not always
  advertised as such.

3. THE SOLUTION

  libcurl 7.19.4 introduces a new option called CURLOPT_REDIR_PROTOCOLS, which
  applications can use to tell libcurl what target protocols automatic
  redirect followings are allowed to use. This will by default exclude FILE
  and SCP URLs.

4. RECOMMENDATIONS

  We suggest you take one of the following actions immediately, in order of
  preference:

  A - Upgrade to curl and libcurl 7.19.4

  B - Apply the suitable patch and rebuild

    For current CVS HEAD:
    http://curl.haxx.se/CVE-2009-0037/curl-CVSHEAD-CVE-2009-0037.patch

    For curl 7.19.0:
    http://curl.haxx.se/CVE-2009-0037/curl-7.19.0-CVE-2009-0037.patch

    For curl 7.18.2:
    http://curl.haxx.se/CVE-2009-0037/curl-7.18.2-CVE-2009-0037.patch

    For curl 7.18.1:
    http://curl.haxx.se/CVE-2009-0037/curl-7.18.1-CVE-2009-0037.patch

    For curl 7.16.4:
    http://curl.haxx.se/CVE-2009-0037/curl-7.16.4-CVE-2009-0037.patch

    For curl 7.15.1:
    http://curl.haxx.se/CVE-2009-0037/curl-7.15.1-CVE-2009-0037.patch

    For curl 7.11.0:
    http://curl.haxx.se/CVE-2009-0037/curl-7.11.0-CVE-2009-0037.patch

  C - Disable automatic redirection following in your application and do the
      logic "manually" instead.

5. TIME LINE

  We were notified by David Kierznowski on Feb 6th, 2009.

  We discussed solutions and a first patch was written and tested on Feb 11th.

  Vendor-sec was contacted on Feb 12, 2009.

  We agreed on and coordinated the synchronous disclosure of this problem
  together with the curl 7.19.4 release.

  curl 7.19.4 was released on March 3 2009, just before this flaw was publicly
  disclosed.

6. CREDITS

  Reported to us by David Kierznowski. Thanks a lot!

  Daniel Fandrich researched the issue and helped with the fix.

  Michal Marek brought the SCP side of this issue and did a bunch of the
  patch backports.

  Daniel Stenberg wrote the primary patch and this advisory.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2009-02-26 11:02:18 UTC
dragonheart/loki_val: Can you attach an ebuild applying the appropriate patch to this bug, so we can do prestable testing before the deadline here? Do not commit anything to CVS!
Comment 2 Daniel Black (RETIRED) gentoo-dev 2009-02-26 13:20:43 UTC
Created attachment 183256 [details]
curl-7.19.3-r1.ebuild

cvs ebuild

patch for ${FILESDIR} is http://curl.haxx.se/CVE-2009-0037/curl-CVSHEAD-CVE-2009-0037.patch

i'll change it back to a tarball for the release.
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2009-02-26 15:17:20 UTC
Arch Security Liaisons, please test the attached ebuild and report it stable on this bug.
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"

CC'ing current Liaisons:
   alpha : yoswink, armin76
   amd64 : keytoaster, tester
    hppa : jer
     ppc : dertobi123
   ppc64 : corsair
   sparc : fmccor
     x86 : maekke, armin76
Comment 4 Ferris McCormick (RETIRED) gentoo-dev 2009-02-26 16:07:57 UTC
sparc looks good with the patch (tests run with no failures).
Comment 5 Tobias Heinlein (RETIRED) gentoo-dev 2009-02-26 23:47:03 UTC
amd64 seems fine:
TESTDONE: 439 tests out of 439 reported OK: 100%
TESTDONE: 526 tests were considered during 1040 seconds.
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2009-02-27 09:07:20 UTC
HPPA is OK.
Comment 7 Raúl Porcel (RETIRED) gentoo-dev 2009-02-27 10:07:02 UTC
Looks okay on alpha/arm/ia64/s390/sh/x86
Comment 8 Robert Buchholz (RETIRED) gentoo-dev 2009-03-03 11:47:45 UTC
This is public now, please commit the ebuild and mark it stable for the arches that approved. Thanks!
Comment 9 Daniel Black (RETIRED) gentoo-dev 2009-03-03 19:38:35 UTC
added  7.19.4
Comment 10 Daniel Black (RETIRED) gentoo-dev 2009-03-03 19:55:40 UTC
and remaining arches
Comment 11 Brent Baude (RETIRED) gentoo-dev 2009-03-04 16:43:59 UTC
ppc64 done
Comment 12 Daniel Black (RETIRED) gentoo-dev 2009-03-04 19:29:47 UTC
tested - comment 5 thanks Tobias
Comment 13 Tobias Scherbaum (RETIRED) gentoo-dev 2009-03-04 19:59:39 UTC
ppc stable, sorry for the delay.
Comment 14 Tobias Heinlein (RETIRED) gentoo-dev 2009-03-05 20:06:46 UTC
GLSA request filed.
Comment 15 Tobias Heinlein (RETIRED) gentoo-dev 2009-03-09 19:02:35 UTC
GLSA 200903-21, thanks everyone.