Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 523038 (CVE-2014-3620) - <net-misc/curl-7.39.0: multiple vulnerabilities (CVE-2014-{3613,3620})
Summary: <net-misc/curl-7.39.0: multiple vulnerabilities (CVE-2014-{3613,3620})
Status: RESOLVED FIXED
Alias: CVE-2014-3620
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://curl.haxx.se/docs/adv_20140910...
Whiteboard: A4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-09-17 14:02 UTC by Karol Herbst
Modified: 2015-03-18 17:50 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Karol Herbst 2014-09-17 14:02:26 UTC
see http://curl.haxx.se/docs/adv_20140910B.html

patch for this can be found here: http://curl.haxx.se/CVE-2014-3620.patch

Reproducible: Didn't try
Comment 1 Karol Herbst 2014-09-17 14:09:50 UTC
maybe the patch for CVE-2014-3613 should be added, too

see here for more info: http://curl.haxx.se/docs/adv_20140910A.html
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2014-09-17 14:49:00 UTC
libcurl wrongly allows cookies to be set for Top Level Domains (TLDs), thus
making them apply broader than cookies are allowed. This can allow arbitrary
sites to set cookies that then would get sent to a different and unrelated
site or domain.

Affected versions: from libcurl 7.31.0 to and including 7.37.1
Not affected versions: libcurl < 7.31.0 and libcurl >= 7.38.0
Comment 3 Yury German Gentoo Infrastructure gentoo-dev 2014-09-17 14:52:39 UTC
Maintainer(s): please let us know when the ebuild is ready for  stabilization.
Comment 4 Agostino Sarubbo gentoo-dev 2014-09-17 15:37:10 UTC
(In reply to Yury German from comment #3)
> Maintainer(s): please let us know when the ebuild is ready for 
> stabilization.

Again, hard to catch if noone is in CC.
Comment 5 Yury German Gentoo Infrastructure gentoo-dev 2014-09-17 17:28:00 UTC
Ago thank you
Comment 6 Anthony Basile gentoo-dev 2014-11-11 00:15:19 UTC
See bug #528840 which supercedes this version.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2015-01-04 01:25:33 UTC
CVE-2014-3620 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3620):
  cURL and libcurl before 7.38.0 allow remote attackers to bypass the Same
  Origin Policy and set cookies for arbitrary sites by setting a cookie for a
  top-level domain.

CVE-2014-3613 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3613):
  cURL and libcurl before 7.38.0 does not properly handle IP addresses in
  cookie domain names, which allows remote attackers to set cookies for or
  send arbitrary cookies to certain sites, as demonstrated by a site at
  192.168.0.1 setting cookies for a site at 127.168.0.1.
Comment 8 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-03-18 17:20:00 UTC
GLSA Vote: No
Comment 9 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2015-03-18 17:50:05 UTC
GLSA vote: no.

Closing as [noglsa]