-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 10 Nov 2016 17:31:06 +0100 Source: curl Binary: curl libcurl3 libcurl3-gnutls libcurl3-nss libcurl4-openssl-dev libcurl4-gnutls-dev libcurl4-nss-dev libcurl3-dbg Architecture: source amd64 Version: 7.26.0-1+wheezy17 Distribution: wheezy-security Urgency: high Maintainer: Alessandro Ghedini <ghedo@debian.org> Changed-By: Thorsten Alteholz <debian@alteholz.de> Description: curl - command line tool for transferring data with URL syntax libcurl3 - easy-to-use client-side URL transfer library (OpenSSL flavour) libcurl3-dbg - debugging symbols for libcurl (OpenSSL, GnuTLS and NSS flavours) libcurl3-gnutls - easy-to-use client-side URL transfer library (GnuTLS flavour) libcurl3-nss - easy-to-use client-side URL transfer library (NSS flavour) libcurl4-gnutls-dev - development files and documentation for libcurl (GnuTLS flavour) libcurl4-nss-dev - development files and documentation for libcurl (NSS flavour) libcurl4-openssl-dev - development files and documentation for libcurl (OpenSSL flavour) Changes: curl (7.26.0-1+wheezy17) wheezy-security; urgency=high . * Non-maintainer upload by the LTS Team. * CVE-2016-8615 If cookie state is written into a cookie jar file that is later read back and used for subsequent requests, a malicious HTTP server can inject new cookies for arbitrary domains into said cookie jar. The issue pertains to the function that loads cookies into memory, which reads the specified file into a fixed-size buffer in a line-by-line manner using the `fgets()` function. If an invocation of fgets() cannot read the whole line into the destination buffer due to it being too small, it truncates the output. This way, a very long cookie (name + value) sent by a malicious server would be stored in the file and subsequently that cookie could be read partially and crafted correctly, it could be treated as a different cookie for another server. * CVE-2016-8616 When re-using a connection, curl was doing case insensitive comparisons of user name and password with the existing connections. This means that if an unused connection with proper credentials exists for a protocol that has connection-scoped credentials, an attacker can cause that connection to be reused if s/he knows the case-insensitive version of the correct password. * CVE-2016-8617 In libcurl's base64 encode function, the output buffer is allocated as follows without any checks on insize: malloc( insize * 4 / 3 + 4 ) On systems with 32-bit addresses in userspace (e.g. x86, ARM, x32), the multiplication in the expression wraps around if insize is at least 1GB of data. If this happens, an undersized output buffer will be allocated, but the full result will be written, thus causing the memory behind the output buffer to be overwritten. Systems with 64 bit versions of the `size_t` type are not affected by this issue. * CVE-2016-8618 The libcurl API function called `curl_maprintf()` can be tricked into doing a double-free due to an unsafe `size_t` multiplication, on systems using 32 bit `size_t` variables. The function is also used internallty in numerous situations. Systems with 64 bit versions of the `size_t` type are not affected by this issue. * CVE-2016-8619 In curl's implementation of the Kerberos authentication mechanism, the function `read_data()` in security.c is used to fill the necessary krb5 structures. When reading one of the length fields from the socket, it fails to ensure that the length parameter passed to realloc() is not set to 0. * CVE-2016-8621 The `curl_getdate` converts a given date string into a numerical timestamp and it supports a range of different formats and possibilites to express a date and time. The underlying date parsing function is also used internally when parsing for example HTTP cookies (possibly received from remote servers) and it can be used when doing conditional HTTP requests. * CVE-2016-8622 The URL percent-encoding decode function in libcurl is called `curl_easy_unescape`. Internally, even if this function would be made to allocate a unscape destination buffer larger than 2GB, it would return that new length in a signed 32 bit integer variable, thus the length would get either just truncated or both truncated and turned negative. That could then lead to libcurl writing outside of its heap based buffer. * CVE-2016-8623 9/11 curl Use-after-free via shared cookies libcurl explicitly allows users to share cookies between multiple easy handles that are concurrently employed by different threads. When cookies to be sent to a server are collected, the matching function collects all cookies to send and the cookie lock is released immediately afterwards. That funcion however only returns a list with *references* back to the original strings for name, value, path and so on. Therefore, if another thread quickly takes the lock and frees one of the original cookie structs together with its strings, a use-after-free can occur and lead to information disclosure. Another thread can also replace the contents of the cookies from separate HTTP responses or API calls. * CVE-2016-8624 10/11 curl invalid URL parsing with '#' curl doesn't parse the authority component of the URL correctly when the host name part ends with a '#' character, and could instead be tricked into connecting to a different host. This may have security implications if you for example use an URL parser that follows the RFC to check for allowed domains before using curl to request them. Checksums-Sha1: b111b030f4b7c0083c487aaff2f2f09570c5d69f 2693 curl_7.26.0-1+wheezy17.dsc 66e1fd0312f62374b96fe02e644f66202fd6324b 3073624 curl_7.26.0.orig.tar.gz 409ddfa08f185b914804b7181555f9cbc5834fab 63572 curl_7.26.0-1+wheezy17.debian.tar.gz 5c972ee44b31b9ecfa109973fa0bb215a44b7ebb 272596 curl_7.26.0-1+wheezy17_amd64.deb b637b1b47c48da8d89d9559ca890abf0c91a70f2 334172 libcurl3_7.26.0-1+wheezy17_amd64.deb dbfe7cf16c9503c98f4a520c9a3b9e3b209a6d42 325386 libcurl3-gnutls_7.26.0-1+wheezy17_amd64.deb ac17a854a288f22fefe615eca8e3c97d986a3939 331908 libcurl3-nss_7.26.0-1+wheezy17_amd64.deb a3eb342992c53155b0989c196ce2ce83c3fd63b5 1276094 libcurl4-openssl-dev_7.26.0-1+wheezy17_amd64.deb 687aa4d9b65ca6902d39f46dcffb159f0f101622 1265144 libcurl4-gnutls-dev_7.26.0-1+wheezy17_amd64.deb eadc425b06d6235b807aa1b0fc955ff2c99dea93 1272604 libcurl4-nss-dev_7.26.0-1+wheezy17_amd64.deb 9c1603f0b5f92cd11f4cfc7faa040a3fd879b0db 3310262 libcurl3-dbg_7.26.0-1+wheezy17_amd64.deb Checksums-Sha256: bb86b101983e60c2a64e389a43e8f82b359a36fe111b0da22457cca879f64030 2693 curl_7.26.0-1+wheezy17.dsc 79ccce9edb8aee17d20ad4d75e1f83a789f8c2e71e68f468e1bf8abf8933193f 3073624 curl_7.26.0.orig.tar.gz 48f3a78410b5aba7a7a2b43bdef2a5bc3b674ba01ea96e98d792d7dea43de61f 63572 curl_7.26.0-1+wheezy17.debian.tar.gz fc0eb6045151e3346a433c199a7aa66e90e4137d243d48ccfe858284a8bfd5aa 272596 curl_7.26.0-1+wheezy17_amd64.deb 37627a829fef55ecb2018384910f2cad519cfbd2fcb7a5b16226bc95587b2cb1 334172 libcurl3_7.26.0-1+wheezy17_amd64.deb d4f5663471beda08ef7243e021982b3a3753d375f2186b70d6b024974257ecfe 325386 libcurl3-gnutls_7.26.0-1+wheezy17_amd64.deb eacf38e42d341ce6aacc509db2fa85d0d18e4bae410a071f20c63500b7bd67aa 331908 libcurl3-nss_7.26.0-1+wheezy17_amd64.deb c8651fa6595b0e0252b9ce2bbd1e8bb8417cc32c6532ae992e63a2e16cd16a90 1276094 libcurl4-openssl-dev_7.26.0-1+wheezy17_amd64.deb 287b8f06478c38a44aacad0114d4e1ec3ba89ea191dfc7c9acc5a3a7557e921b 1265144 libcurl4-gnutls-dev_7.26.0-1+wheezy17_amd64.deb de10a5bf346338545617b5e47c8749a8e3676167ca860002ddf1786668f3adc8 1272604 libcurl4-nss-dev_7.26.0-1+wheezy17_amd64.deb a718464c89da7a2343252d7eab6452693429fe74d888695e194515685e932af5 3310262 libcurl3-dbg_7.26.0-1+wheezy17_amd64.deb Files: fd754959527ec6ab2072c08af4e0aa8d 2693 web optional curl_7.26.0-1+wheezy17.dsc 3fa4d5236f2a36ca5c3af6715e837691 3073624 web optional curl_7.26.0.orig.tar.gz ed41903ebb2e985aff9ebf175b13252f 63572 web optional curl_7.26.0-1+wheezy17.debian.tar.gz c510da83eb6e99e24090c6a0a718f709 272596 web optional curl_7.26.0-1+wheezy17_amd64.deb 86559e946ace252f38a29606b6fed652 334172 libs optional libcurl3_7.26.0-1+wheezy17_amd64.deb 4b38461bc4517bc456ef704c160d4999 325386 libs optional libcurl3-gnutls_7.26.0-1+wheezy17_amd64.deb f0ce50fa651bccc2c01adcace7f8fbbc 331908 libs optional libcurl3-nss_7.26.0-1+wheezy17_amd64.deb 312aaee8c4ff6bf2e853f91782c99e44 1276094 libdevel optional libcurl4-openssl-dev_7.26.0-1+wheezy17_amd64.deb e72d15fc02db9a89ceb9182564e1d941 1265144 libdevel optional libcurl4-gnutls-dev_7.26.0-1+wheezy17_amd64.deb 37a9215ae608cd16d0b32ed76c3a4002 1272604 libdevel optional libcurl4-nss-dev_7.26.0-1+wheezy17_amd64.deb 54e778886e805d7cd25ba23c680caeb5 3310262 debug extra libcurl3-dbg_7.26.0-1+wheezy17_amd64.deb -----BEGIN PGP SIGNATURE----- iQKnBAEBCgCRFiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAlgt92dfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcTHGRlYmlhbkBh bHRlaG9sei5kZQAKCRCW/KwNOHtYRyzzD/9VS6vDgXlM4XVzIdxeAQH3UDgPFTY/ LTjwZlDXyEUi8UqCjAnCA17VwupOIvD+VWGP+bJBhqkvBhb+xAVUDHtxffM+bkGR GF6D4bDotE+FkV6w7qJGBnmt75XA1XFunaf5ZU6zepQjlfit1P0uvrgx/YieDpRm 3XwFFA2g6zxvEtOOd4gX/OsPyowSeJUaIrilgFiQGYeHlesvlNAU6lRVUKH/op5T HSG+PbC3yhE6rPgOHTiXRthTF4eRAed0NqxSvsW1IxyVAy4l3iqN+g+DAzh6+yXf 9zmkFN1l9FSeq/ZW3OOssu0GWkjUgMNUu7GUQQ1400AYyw517a1Tfj/3x6vc/sz5 ZZ43MSohZ5497ZymVltC1NcMV096Hs9Ek9qZGkBixJn9POgQkYBZLTiVg9oxzGT2 ALaz4Ye79LxwodE6+YEMfedEvlumCQknWk39d72QZGev+AD9+IcVKLs4wRT2uBJO rjcP+j9FneMuK2KobQZSngm7NyEEaXfa/xwUYTfwrg5YRyoql0iN2FF/ASW48Hrw 9wU6WK+7bHSpqTRRomIiNdhko2RZQdMN1UlwVEuRc2WvdUfItDJaWbL8iLTAXn3A f+usVn9TGGdg2W6I7o5rL/Qs1z6KqqwMv51k7DU8wiAzJ+v+e0hqUg7FNqAai42e pfqrhENlQLnDYA== =ro1J -----END PGP SIGNATURE-----
