Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 949330 (CVE-2025-0167, CVE-2025-0665, CVE-2025-0725) - <net-misc/curl-8.12.0: multiple vulnerabilities
Summary: <net-misc/curl-8.12.0: multiple vulnerabilities
Status: IN_PROGRESS
Alias: CVE-2025-0167, CVE-2025-0665, CVE-2025-0725
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://curl.se/docs/security.html
Whiteboard: B3 [stable?]
Keywords:
Depends on:
Blocks:
 
Reported: 2025-02-05 08:45 UTC by Matt Jolly
Modified: 2025-02-14 12:26 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Matt Jolly gentoo-dev 2025-02-05 08:45:40 UTC 
Curl 8.12.0 (already in-tree) contains fixes for the following CVEs:

CVE-2025-0725: gzip integer overflow 
CVE-2025-0665: eventfd double close
CVE-2025-0167: netrc and default credential leak
Comment 1 Tomáš Mózes 2025-02-10 08:56:27 UTC 
https://github.com/curl/curl/discussions/16259
Comment 2 Tomáš Mózes 2025-02-13 07:41:58 UTC 
8.12.1 is out: https://github.com/curl/curl/releases/tag/curl-8_12_1
Comment 3 Tomáš Mózes 2025-02-14 12:25:59 UTC 
8.12.1 looks better, the regression from 8.12.0 is gone (at least our use case).
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2025-02-14 12:26:03 UTC 
commit 893edb6df0a8cbe0902fb4b6d3e8f09a782fd349 (origin/master, origin/HEAD)
Author: Matt Jolly <kangie@gentoo.org>
Date:   Fri Feb 14 22:12:34 2025 +1000

    net-misc/curl: add 8.12.1

    Signed-off-by: Matt Jolly <kangie@gentoo.org>