Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 536014 (CVE-2014-8150, CVE-2014-8151) - <net-misc/curl-7.45.0: URL request injection vulnerability in parseurlandfillconn() (CVE-2014-{8150,8151})
Summary: <net-misc/curl-7.45.0: URL request injection vulnerability in parseurlandfill...
Status: RESOLVED FIXED
Alias: CVE-2014-8150, CVE-2014-8151
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: A3 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-01-08 10:40 UTC by Agostino Sarubbo
Modified: 2017-01-19 19:31 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-01-08 10:40:48 UTC
From ${URL} :

libcurl upstream reports:

"""

When libcurl sends a request to a server via a HTTP proxy, it copies the entire URL into the 
request and sends if off.

If the given URL contains line feeds and carriage returns those will be sent along to the proxy 
too, which allows the program to for example send a separate HTTP request injected embedded in the 
URL.

Many programs allow some kind of external sources to set the URL or provide partial pieces for the 
URL to request, and if the URL (as received from the user) is not stripped good enough - this flaw 
allows malicious users to do additional requests in a way that was not intended, or to insert 
request headers into the request that the program didn't intend.

We are not aware of any public exploits of this flaw.

"""

External References:

http://curl.haxx.se/docs/adv_20150108B.html


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2015-01-17 21:36:33 UTC
CVE-2014-8150 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8150):
  CRLF injection vulnerability in libcurl 6.0 through 7.x before 7.40.0, when
  using an HTTP proxy, allows remote attackers to inject arbitrary HTTP
  headers and conduct HTTP response splitting attacks via CRLF sequences in a
  URL.
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2015-01-18 03:17:08 UTC
libcurl 7.40.0 makes sure that the URL passed to the proxy may never contain neither carriage returns nor line feeds characters.

A patch for this problem is available at:

http://curl.haxx.se/CVE-2014-8150.patch
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2016-07-01 05:28:07 UTC
Patched code is present in >=net-misc/curl-7.45.0 source.

New GLSA request filed.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2017-01-19 19:26:35 UTC
This issue was resolved and addressed in
 GLSA 201701-47 at https://security.gentoo.org/glsa/201701-47
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2017-01-19 19:30:28 UTC
This issue was resolved and addressed in
 GLSA 201701-47 at https://security.gentoo.org/glsa/201701-47
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2017-01-19 19:31:25 UTC
This issue was resolved and addressed in
 GLSA 201701-47 at https://security.gentoo.org/glsa/201701-47
by GLSA coordinator Thomas Deutschmann (whissi).