From ${URL} : A security flaw was found in the way the library of cURL, an utility for retrieval of files from remote servers, performed match of cookie domain names when making a decision if (previously stored cookies) should be sent to particular domain. Due to a bug in match function implementation, (formerly) the decision / match succeeded also in cases, where just suffix / certain part of the domain name matched the domain name, the current request originated from. A remote attacker could use this flaw to possibly hijack the user session of the victim by submitting a request containing a specially-crafted domain name. References: [1] http://thread.gmane.org/gmane.comp.web.curl.library/38986 @maintainer(s): after the bump, please say explicitly if the package is ready for the stabilization or not
curl-7.30.0 is on the tree.
*** Bug 466298 has been marked as a duplicate of this bug. ***
(In reply to comment #1) > curl-7.30.0 is on the tree. …and ready to go stable?
(In reply to comment #3) > (In reply to comment #1) > > curl-7.30.0 is on the tree. > > …and ready to go stable? I have tested, but this would be a rapid stabilization with all the dangers that entails. Given that this is a minor security risk, I'd prefer to wait.
CVE-2013-1944 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1944): The tailMatch function in cookie.c in cURL and libcurl before 7.30.0 does not properly match the path domain when sending cookies, which allows remote attackers to steal cookies via a matching suffix in the domain of a URL.
Okay let's shoot for stabilization: KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Stable for HPPA.
amd64 stable
x86 stable
alpha stable
arm stable
ia64 stable
ppc64 stable
ppc stable
sparc stable
s390 stable
sh stable
GLSA vote: no.
Added to existing GLSA draft
This issue was resolved and addressed in GLSA 201401-14 at http://security.gentoo.org/glsa/glsa-201401-14.xml by GLSA coordinator Sergey Popov (pinkbyte).
