ULNERABILITY This flaw allows a malicious HTTP server to set "super cookies" in curl that are then passed back to more origins than what is otherwise allowed or possible. This allows a site to set cookies that then would get sent to different and unrelated sites and domains. It could do this by exploiting a mixed case flaw in curl's function that verifies a given cookie domain against the Public Suffix List (PSL). For example a cookie could be set with domain=co.UK when the URL used a lowercase hostname curl.co.uk, even though co.uk is listed as a PSL domain. INFO When curl is built without PSL support, it cannot protect against this problem but it is expected to not allow "too wide" cookies when PSL support is enabled. The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2023-46218 to this issue. CWE-201: Information Exposure Through Sent Data Severity: Medium AFFECTED VERSIONS Affected versions: curl 7.46.0 to and including 8.4.0 Not affected versions: curl < 7.46.0 and >= 8.5.0 Introduced-in: https://github.com/curl/curl/commit/e77b5b7453c1e8c libcurl is used by many applications, but not always advertised as such!
We're not doing anything about this at the moment but it's worth recording: cURL on Gentoo is built `--without-libpsl` and there is no USE dependency. I'll look into what other distros are doing and make a longer term decision.
*** Bug 919326 has been marked as a duplicate of this bug. ***
Other one: * HSTS long file name clears content (CVE-2023-42619) When saving HSTS data to an excessively long file name, curl could end up removing all contents, making subsequent requests using that file unaware of the HSTS status they should otherwise use. INFO The reason for this bug is that save function appended a suffix to the file name, created a temporary file and then in the last step renamed that to the final name. When the file name length was close to the limit of what is allowed on the file system, adding the extension would make it too long and then trigger this bug. The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2023-46219 to this issue. CWE-311: Missing Encryption of Sensitive Data Severity: Low AFFECTED VERSIONS Affected versions: curl 7.84.0 to and including 8.4.0 Not affected versions: curl < 7.84.0 and >= 8.5.0 Introduced-in: https://github.com/curl/curl/commit/20f9dd6bae50b722 libcurl is used by many applications, but not always advertised as such!
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bd5be9da9b4bc564cc45b1004363d3e5d79afc8d commit bd5be9da9b4bc564cc45b1004363d3e5d79afc8d Author: Matt Jolly <Matt.Jolly@footclan.ninja> AuthorDate: 2023-12-06 08:56:57 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-12-06 11:22:37 +0000 net-misc/curl: add 8.5.0 This release includes fixes for two CVEs linked as bugs below. For clarity, Gentoo does not currently enable a libpsl dependency so version bump does not address CVE-2023-46218 / Bug 919325; we're no more or less vulnerable than we were before. Test 1477 has been disabled for this release; it's docs related and upstream did not include a required file - it's not worth us patching: https://github.com/curl/curl/commit/da8c1d15782c8161b455a7ee90197c16ae5edb90 Bug: https://bugs.gentoo.org/919325 Bug: https://bugs.gentoo.org/919326 Signed-off-by: Matt Jolly <Matt.Jolly@footclan.ninja> Closes: https://github.com/gentoo/gentoo/pull/34148 Signed-off-by: Sam James <sam@gentoo.org> net-misc/curl/Manifest | 2 + net-misc/curl/curl-8.5.0.ebuild | 364 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 366 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=500274c68d01033cbafb86135043712bcbbd974e commit 500274c68d01033cbafb86135043712bcbbd974e Author: Sam James <sam@gentoo.org> AuthorDate: 2024-01-19 08:49:43 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-01-19 08:49:43 +0000 net-misc/curl: improve USE=psl description Bug: https://bugs.gentoo.org/921610 Bug: https://bugs.gentoo.org/919325 Signed-off-by: Sam James <sam@gentoo.org> net-misc/curl/metadata.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c5220b82d97f99bbdb24a203fd47c84c885f3ca1 commit c5220b82d97f99bbdb24a203fd47c84c885f3ca1 Author: Matt Jolly <Matt.Jolly@footclan.ninja> AuthorDate: 2024-01-17 07:57:07 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-01-19 08:48:30 +0000 net-misc/curl: add 8.5.0-r3 - Add Public Suffix List (PSL) support Bug: https://bugs.gentoo.org/919325 Closes: https://bugs.gentoo.org/921610 Signed-off-by: Matt Jolly <Matt.Jolly@footclan.ninja> Signed-off-by: Sam James <sam@gentoo.org> net-misc/curl/curl-8.5.0-r3.ebuild | 369 +++++++++++++++++++++++++++++++++++++ net-misc/curl/metadata.xml | 1 + 2 files changed, 370 insertions(+)
*** Bug 921732 has been marked as a duplicate of this bug. ***
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=b04b4f7e697b62c8b67bd3c4bad5d6903b20f23f commit b04b4f7e697b62c8b67bd3c4bad5d6903b20f23f Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-09-23 05:53:30 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-09-23 05:53:40 +0000 [ GLSA 202409-20 ] curl: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/919325 Bug: https://bugs.gentoo.org/919889 Bug: https://bugs.gentoo.org/923413 Bug: https://bugs.gentoo.org/927960 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202409-20.xml | 51 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+)
