Accepted curl 7.26.0-1+wheezy17 (source amd64) into oldstable
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 10 Nov 2016 17:31:06 +0100
Source: curl
Binary: curl libcurl3 libcurl3-gnutls libcurl3-nss libcurl4-openssl-dev libcurl4-gnutls-dev libcurl4-nss-dev libcurl3-dbg
Architecture: source amd64
Version: 7.26.0-1+wheezy17
Distribution: wheezy-security
Urgency: high
Maintainer: Alessandro Ghedini <ghedo@debian.org>
Changed-By: Thorsten Alteholz <debian@alteholz.de>
Description:
curl - command line tool for transferring data with URL syntax
libcurl3 - easy-to-use client-side URL transfer library (OpenSSL flavour)
libcurl3-dbg - debugging symbols for libcurl (OpenSSL, GnuTLS and NSS flavours)
libcurl3-gnutls - easy-to-use client-side URL transfer library (GnuTLS flavour)
libcurl3-nss - easy-to-use client-side URL transfer library (NSS flavour)
libcurl4-gnutls-dev - development files and documentation for libcurl (GnuTLS flavour)
libcurl4-nss-dev - development files and documentation for libcurl (NSS flavour)
libcurl4-openssl-dev - development files and documentation for libcurl (OpenSSL flavour)
Changes:
curl (7.26.0-1+wheezy17) wheezy-security; urgency=high
.
* Non-maintainer upload by the LTS Team.
* CVE-2016-8615
If cookie state is written into a cookie jar file that is later read
back and used for subsequent requests, a malicious HTTP server can
inject new cookies for arbitrary domains into said cookie jar.
The issue pertains to the function that loads cookies into memory, which
reads the specified file into a fixed-size buffer in a line-by-line
manner using the `fgets()` function. If an invocation of fgets() cannot
read the whole line into the destination buffer due to it being too
small, it truncates the output.
This way, a very long cookie (name + value) sent by a malicious server
would be stored in the file and subsequently that cookie could be read
partially and crafted correctly, it could be treated as a different
cookie for another server.
* CVE-2016-8616
When re-using a connection, curl was doing case insensitive comparisons
of user name and password with the existing connections.
This means that if an unused connection with proper credentials exists
for a protocol that has connection-scoped credentials, an attacker can
cause that connection to be reused if s/he knows the case-insensitive
version of the correct password.
* CVE-2016-8617
In libcurl's base64 encode function, the output buffer is allocated
as follows without any checks on insize:
malloc( insize * 4 / 3 + 4 )
On systems with 32-bit addresses in userspace (e.g. x86, ARM, x32),
the multiplication in the expression wraps around if insize is at
least 1GB of data. If this happens, an undersized output buffer will
be allocated, but the full result will be written, thus causing the
memory behind the output buffer to be overwritten.
Systems with 64 bit versions of the `size_t` type are not affected
by this issue.
* CVE-2016-8618
The libcurl API function called `curl_maprintf()` can be tricked into
doing a double-free due to an unsafe `size_t` multiplication, on
systems using 32 bit `size_t` variables. The function is also used
internallty in numerous situations.
Systems with 64 bit versions of the `size_t` type are not affected
by this issue.
* CVE-2016-8619
In curl's implementation of the Kerberos authentication mechanism,
the function `read_data()` in security.c is used to fill the
necessary krb5 structures. When reading one of the length fields from
the socket, it fails to ensure that the length parameter passed to
realloc() is not set to 0.
* CVE-2016-8621
The `curl_getdate` converts a given date string into a numerical
timestamp and it supports a range of different formats and
possibilites to express a date and time. The underlying date
parsing function is also used internally when parsing for example
HTTP cookies (possibly received from remote servers) and it can be
used when doing conditional HTTP requests.
* CVE-2016-8622
The URL percent-encoding decode function in libcurl is called
`curl_easy_unescape`. Internally, even if this function would be
made to allocate a unscape destination buffer larger than 2GB, it
would return that new length in a signed 32 bit integer variable,
thus the length would get either just truncated or both truncated
and turned negative. That could then lead to libcurl writing outside
of its heap based buffer.
* CVE-2016-8623 9/11 curl Use-after-free via shared cookies
libcurl explicitly allows users to share cookies between multiple
easy handles that are concurrently employed by different threads.
When cookies to be sent to a server are collected, the matching
function collects all cookies to send and the cookie lock is released
immediately afterwards. That funcion however only returns a list with
*references* back to the original strings for name, value, path and so
on. Therefore, if another thread quickly takes the lock and frees one
of the original cookie structs together with its strings,
a use-after-free can occur and lead to information disclosure. Another
thread can also replace the contents of the cookies from separate HTTP
responses or API calls.
* CVE-2016-8624 10/11 curl invalid URL parsing with '#'
curl doesn't parse the authority component of the URL correctly when
the host name part ends with a '#' character, and could instead be
tricked into connecting to a different host. This may have security
implications if you for example use an URL parser that follows the RFC
to check for allowed domains before using curl to request them.
Checksums-Sha1:
b111b030f4b7c0083c487aaff2f2f09570c5d69f 2693 curl_7.26.0-1+wheezy17.dsc
66e1fd0312f62374b96fe02e644f66202fd6324b 3073624 curl_7.26.0.orig.tar.gz
409ddfa08f185b914804b7181555f9cbc5834fab 63572 curl_7.26.0-1+wheezy17.debian.tar.gz
5c972ee44b31b9ecfa109973fa0bb215a44b7ebb 272596 curl_7.26.0-1+wheezy17_amd64.deb
b637b1b47c48da8d89d9559ca890abf0c91a70f2 334172 libcurl3_7.26.0-1+wheezy17_amd64.deb
dbfe7cf16c9503c98f4a520c9a3b9e3b209a6d42 325386 libcurl3-gnutls_7.26.0-1+wheezy17_amd64.deb
ac17a854a288f22fefe615eca8e3c97d986a3939 331908 libcurl3-nss_7.26.0-1+wheezy17_amd64.deb
a3eb342992c53155b0989c196ce2ce83c3fd63b5 1276094 libcurl4-openssl-dev_7.26.0-1+wheezy17_amd64.deb
687aa4d9b65ca6902d39f46dcffb159f0f101622 1265144 libcurl4-gnutls-dev_7.26.0-1+wheezy17_amd64.deb
eadc425b06d6235b807aa1b0fc955ff2c99dea93 1272604 libcurl4-nss-dev_7.26.0-1+wheezy17_amd64.deb
9c1603f0b5f92cd11f4cfc7faa040a3fd879b0db 3310262 libcurl3-dbg_7.26.0-1+wheezy17_amd64.deb
Checksums-Sha256:
bb86b101983e60c2a64e389a43e8f82b359a36fe111b0da22457cca879f64030 2693 curl_7.26.0-1+wheezy17.dsc
79ccce9edb8aee17d20ad4d75e1f83a789f8c2e71e68f468e1bf8abf8933193f 3073624 curl_7.26.0.orig.tar.gz
48f3a78410b5aba7a7a2b43bdef2a5bc3b674ba01ea96e98d792d7dea43de61f 63572 curl_7.26.0-1+wheezy17.debian.tar.gz
fc0eb6045151e3346a433c199a7aa66e90e4137d243d48ccfe858284a8bfd5aa 272596 curl_7.26.0-1+wheezy17_amd64.deb
37627a829fef55ecb2018384910f2cad519cfbd2fcb7a5b16226bc95587b2cb1 334172 libcurl3_7.26.0-1+wheezy17_amd64.deb
d4f5663471beda08ef7243e021982b3a3753d375f2186b70d6b024974257ecfe 325386 libcurl3-gnutls_7.26.0-1+wheezy17_amd64.deb
eacf38e42d341ce6aacc509db2fa85d0d18e4bae410a071f20c63500b7bd67aa 331908 libcurl3-nss_7.26.0-1+wheezy17_amd64.deb
c8651fa6595b0e0252b9ce2bbd1e8bb8417cc32c6532ae992e63a2e16cd16a90 1276094 libcurl4-openssl-dev_7.26.0-1+wheezy17_amd64.deb
287b8f06478c38a44aacad0114d4e1ec3ba89ea191dfc7c9acc5a3a7557e921b 1265144 libcurl4-gnutls-dev_7.26.0-1+wheezy17_amd64.deb
de10a5bf346338545617b5e47c8749a8e3676167ca860002ddf1786668f3adc8 1272604 libcurl4-nss-dev_7.26.0-1+wheezy17_amd64.deb
a718464c89da7a2343252d7eab6452693429fe74d888695e194515685e932af5 3310262 libcurl3-dbg_7.26.0-1+wheezy17_amd64.deb
Files:
fd754959527ec6ab2072c08af4e0aa8d 2693 web optional curl_7.26.0-1+wheezy17.dsc
3fa4d5236f2a36ca5c3af6715e837691 3073624 web optional curl_7.26.0.orig.tar.gz
ed41903ebb2e985aff9ebf175b13252f 63572 web optional curl_7.26.0-1+wheezy17.debian.tar.gz
c510da83eb6e99e24090c6a0a718f709 272596 web optional curl_7.26.0-1+wheezy17_amd64.deb
86559e946ace252f38a29606b6fed652 334172 libs optional libcurl3_7.26.0-1+wheezy17_amd64.deb
4b38461bc4517bc456ef704c160d4999 325386 libs optional libcurl3-gnutls_7.26.0-1+wheezy17_amd64.deb
f0ce50fa651bccc2c01adcace7f8fbbc 331908 libs optional libcurl3-nss_7.26.0-1+wheezy17_amd64.deb
312aaee8c4ff6bf2e853f91782c99e44 1276094 libdevel optional libcurl4-openssl-dev_7.26.0-1+wheezy17_amd64.deb
e72d15fc02db9a89ceb9182564e1d941 1265144 libdevel optional libcurl4-gnutls-dev_7.26.0-1+wheezy17_amd64.deb
37a9215ae608cd16d0b32ed76c3a4002 1272604 libdevel optional libcurl4-nss-dev_7.26.0-1+wheezy17_amd64.deb
54e778886e805d7cd25ba23c680caeb5 3310262 debug extra libcurl3-dbg_7.26.0-1+wheezy17_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQKnBAEBCgCRFiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAlgt92dfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy
MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcTHGRlYmlhbkBh
bHRlaG9sei5kZQAKCRCW/KwNOHtYRyzzD/9VS6vDgXlM4XVzIdxeAQH3UDgPFTY/
LTjwZlDXyEUi8UqCjAnCA17VwupOIvD+VWGP+bJBhqkvBhb+xAVUDHtxffM+bkGR
GF6D4bDotE+FkV6w7qJGBnmt75XA1XFunaf5ZU6zepQjlfit1P0uvrgx/YieDpRm
3XwFFA2g6zxvEtOOd4gX/OsPyowSeJUaIrilgFiQGYeHlesvlNAU6lRVUKH/op5T
HSG+PbC3yhE6rPgOHTiXRthTF4eRAed0NqxSvsW1IxyVAy4l3iqN+g+DAzh6+yXf
9zmkFN1l9FSeq/ZW3OOssu0GWkjUgMNUu7GUQQ1400AYyw517a1Tfj/3x6vc/sz5
ZZ43MSohZ5497ZymVltC1NcMV096Hs9Ek9qZGkBixJn9POgQkYBZLTiVg9oxzGT2
ALaz4Ye79LxwodE6+YEMfedEvlumCQknWk39d72QZGev+AD9+IcVKLs4wRT2uBJO
rjcP+j9FneMuK2KobQZSngm7NyEEaXfa/xwUYTfwrg5YRyoql0iN2FF/ASW48Hrw
9wU6WK+7bHSpqTRRomIiNdhko2RZQdMN1UlwVEuRc2WvdUfItDJaWbL8iLTAXn3A
f+usVn9TGGdg2W6I7o5rL/Qs1z6KqqwMv51k7DU8wiAzJ+v+e0hqUg7FNqAai42e
pfqrhENlQLnDYA==
=ro1J
-----END PGP SIGNATURE-----