[gentoo-announce] [ GLSA 201203-02 ] cURL: Multiple vulnerabilities - gentoo-announce

From:	Sean Amoss <ackle@g.o>
To:	gentoo-announce@g.o
Subject:	[gentoo-announce] [ GLSA 201203-02 ] cURL: Multiple vulnerabilities
Date:	Tue, 06 Mar 2012 03:16:04
Message-Id:	`4F556872.1080307@gentoo.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 201203-02

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                            http://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

 Severity: Normal

8

    Title: cURL: Multiple vulnerabilities

9

     Date: March 06, 2012

10

     Bugs: #308645, #373235, #400799

11

       ID: 201203-02

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

Multiple vulnerabilities have been found in cURL, the worst of which

19

might allow remote execution of arbitrary code.

20

21

Background

22

==========

23

24

cURL is a command line tool for transferring files with URL syntax,

25

supporting numerous protocols.

26

27

Affected packages

28

=================

29

30

    -------------------------------------------------------------------

31

     Package              /     Vulnerable     /            Unaffected

32

    -------------------------------------------------------------------

33

  1  net-misc/curl                < 7.24.0                  >= 7.24.0

34

35

Description

36

===========

37

38

Multiple vulnerabilities have been found in cURL:

39

40

* When zlib is enabled, the amount of data sent to an application for

41

  automatic decompression is not restricted (CVE-2010-0734).

42

* When performing GSSAPI authentication, credential delegation is

43

  always used (CVE-2011-2192).

44

* When SSL is enabled, cURL improperly disables the OpenSSL workaround

45

  to mitigate an information disclosure vulnerability in the SSL and

46

  TLS protocols (CVE-2011-3389).

47

* libcurl does not properly verify file paths for escape control

48

  characters in IMAP, POP3 or SMTP URLs (CVE-2012-0036).

49

50

Impact

51

======

52

53

A remote attacker could entice a user or automated process to open a

54

specially crafted file or URL using cURL, possibly resulting in the

55

remote execution of arbitrary code, a Denial of Service condition,

56

disclosure of sensitive information, or unwanted actions performed via

57

the IMAP, POP3 or SMTP protocols. Furthermore, remote servers may be

58

able to impersonate clients via GSSAPI requests.

59

60

Workaround

61

==========

62

63

There is no known workaround at this time.

64

65

Resolution

66

==========

67

68

All cURL users should upgrade to the latest version:

69

70

  # emerge --sync

71

  # emerge --ask --oneshot --verbose ">=net-misc/curl-7.24.0"

72

73

References

74

==========

75

76

[ 1 ] CVE-2010-0734

77

      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0734

78

[ 2 ] CVE-2011-2192

79

      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2192

80

[ 3 ] CVE-2011-3389

81

      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3389

82

[ 4 ] CVE-2012-0036

83

      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0036

84

85

Availability

86

============

87

88

This GLSA and any updates to it are available for viewing at

89

the Gentoo Security Website:

90

91

 http://security.gentoo.org/glsa/glsa-201203-02.xml

92

93

Concerns?

94

=========

95

96

Security is a primary focus of Gentoo Linux and ensuring the

97

confidentiality and security of our users' machines is of utmost

98

importance to us. Any security concerns should be addressed to

99

security@g.o or alternatively, you may file a bug at

100

https://bugs.gentoo.org.

101

102

License

103

=======

104

105

Copyright 2012 Gentoo Foundation, Inc; referenced text

106

belongs to its owner(s).

107

108

The contents of this document are licensed under the

109

Creative Commons - Attribution / Share Alike license.

110

111

http://creativecommons.org/licenses/by-sa/2.5

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 201203-02
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	http://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Normal
8	Title: cURL: Multiple vulnerabilities
9	Date: March 06, 2012
10	Bugs: #308645, #373235, #400799
11	ID: 201203-02
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	Multiple vulnerabilities have been found in cURL, the worst of which
19	might allow remote execution of arbitrary code.
20
21	Background
22	==========
23
24	cURL is a command line tool for transferring files with URL syntax,
25	supporting numerous protocols.
26
27	Affected packages
28	=================
29
30	-------------------------------------------------------------------
31	Package / Vulnerable / Unaffected
32	-------------------------------------------------------------------
33	1 net-misc/curl < 7.24.0 >= 7.24.0
34
35	Description
36	===========
37
38	Multiple vulnerabilities have been found in cURL:
39
40	* When zlib is enabled, the amount of data sent to an application for
41	automatic decompression is not restricted (CVE-2010-0734).
42	* When performing GSSAPI authentication, credential delegation is
43	always used (CVE-2011-2192).
44	* When SSL is enabled, cURL improperly disables the OpenSSL workaround
45	to mitigate an information disclosure vulnerability in the SSL and
46	TLS protocols (CVE-2011-3389).
47	* libcurl does not properly verify file paths for escape control
48	characters in IMAP, POP3 or SMTP URLs (CVE-2012-0036).
49
50	Impact
51	======
52
53	A remote attacker could entice a user or automated process to open a
54	specially crafted file or URL using cURL, possibly resulting in the
55	remote execution of arbitrary code, a Denial of Service condition,
56	disclosure of sensitive information, or unwanted actions performed via
57	the IMAP, POP3 or SMTP protocols. Furthermore, remote servers may be
58	able to impersonate clients via GSSAPI requests.
59
60	Workaround
61	==========
62
63	There is no known workaround at this time.
64
65	Resolution
66	==========
67
68	All cURL users should upgrade to the latest version:
69
70	# emerge --sync
71	# emerge --ask --oneshot --verbose ">=net-misc/curl-7.24.0"
72
73	References
74	==========
75
76	[ 1 ] CVE-2010-0734
77	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0734
78	[ 2 ] CVE-2011-2192
79	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2192
80	[ 3 ] CVE-2011-3389
81	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3389
82	[ 4 ] CVE-2012-0036
83	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0036
84
85	Availability
86	============
87
88	This GLSA and any updates to it are available for viewing at
89	the Gentoo Security Website:
90
91	http://security.gentoo.org/glsa/glsa-201203-02.xml
92
93	Concerns?
94	=========
95
96	Security is a primary focus of Gentoo Linux and ensuring the
97	confidentiality and security of our users' machines is of utmost
98	importance to us. Any security concerns should be addressed to
99	security@g.o or alternatively, you may file a bug at
100	https://bugs.gentoo.org.
101
102	License
103	=======
104
105	Copyright 2012 Gentoo Foundation, Inc; referenced text
106	belongs to its owner(s).
107
108	The contents of this document are licensed under the
109	Creative Commons - Attribution / Share Alike license.
110
111	http://creativecommons.org/licenses/by-sa/2.5