Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 946291 (CVE-2024-11053) - <net-misc/curl-8.11.1: netrc and redirect credential leak
Summary: <net-misc/curl-8.11.1: netrc and redirect credential leak
Status: UNCONFIRMED
Alias: CVE-2024-11053
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://curl.se/docs/CVE-2024-11053.html
Whiteboard: B4 [ebuild]
Keywords:
Depends on:
Blocks:
 
Reported: 2024-12-12 00:11 UTC by Emanuele Torre
Modified: 2024-12-12 08:18 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Emanuele Torre 2024-12-12 00:11:50 UTC
Quoting https://curl.se/docs/CVE-2024-11053.html

  When asked to both use a .netrc file for credentials and to follow
  HTTP redirects, curl could leak the password used for the first host
  to the followed-to host under certain circumstances.
  This flaw only manifests itself if the netrc file has an entry that
  matches the redirect target hostname but the entry either omits just
  the password or omits both login and password.

  CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

  Severity: Low

  Affected versions: curl 6.5 to and including 8.11.0.

o/
 emanuele6
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2024-12-12 04:03:23 UTC
For security bugs, the summary should be the first fixed version in tree.
Comment 2 Larry the Git Cow gentoo-dev 2024-12-12 08:18:14 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5b71955ecbcbbc8427caedb8f66eb36f44841e44

commit 5b71955ecbcbbc8427caedb8f66eb36f44841e44
Author:     Matt Jolly <kangie@gentoo.org>
AuthorDate: 2024-12-12 08:17:34 +0000
Commit:     Matt Jolly <kangie@gentoo.org>
CommitDate: 2024-12-12 08:17:53 +0000

    net-misc/curl: add 8.11.1
    
    Bug: https://bugs.gentoo.org/946291
    Signed-off-by: Matt Jolly <kangie@gentoo.org>

 net-misc/curl/Manifest           |   2 +
 net-misc/curl/curl-8.11.1.ebuild | 383 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 385 insertions(+)