[security-announce] cURL: Security update

Sona Sarmadi sona.sarmadi at enea.com
Thu Aug 6 21:19:19 CEST 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

	Enea Linux Security Advisory
=========================================================
Product/package: cURL 7.37.1
CVE Name: CVE-2014-3707, CVE-2014-8150, CVE-2015-3143,
CVE-2015-3143, CVE-2015-3144, CVE-2015-3145
=========================================================
This security patch fixes some vulnerability in the cURL 7.37.1.

Signed patch and README files
================================
0025-curl-several-security-fixes.patch
0025-curl-several-security-fixes.patch.sig
0025-curl-several-security-fixes.README.asc

Descriptions
============
CVE-2014-3707:
The curl_easy_duphandle function in libcurl 7.17.1 through
7.38.0, when running with the CURLOPT_COPYPOSTFIELDS option,
does not properly copy HTTP POST data for an easy handle,
which triggers an out-of-bounds read that allows remote web
servers to read sensitive memory information.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3707

CVE-2014-8150:
CRLF injection vulnerability in libcurl 6.0 through 7.x
before 7.40.0, when using an HTTP proxy, allows remote attackers
to inject arbitrary HTTP headers and conduct HTTP response
splitting attacks via CRLF sequences in a URL.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8150

CVE-2015-3143:
cURL and libcurl 7.10.6 through 7.41.0 does not properly
re-use NTLM connections, which allows remote attackers to
connect as other users via an unauthenticated request, a
similar issue to CVE-2014-0015.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3143

CVE-2015-3144:
The fix_hostname function in cURL and libcurl 7.37.0
through 7.41.0 does not properly calculate an index, which
allows remote attackers to cause a denial of service
(out-of-bounds read or write and crash) or possibly have
other unspecified impact via a zero-length host name,
as demonstrated by "http://:80" and ":80."
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3144

CVE-2015-3145:
The sanitize_cookie_path function in cURL and libcurl
7.31.0 through 7.41.0 does not properly calculate an index,
which allows remote attackers to cause a denial of service
(out-of-bounds write and crash) or possibly have other
unspecified impact via a cookie path containing only a
double-quote character.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3145

CVE-2015-3153:
The default configuration for cURL and libcurl before 7.42.1
sends custom HTTP headers to both the proxy and destination
server, which might allow remote proxy servers to obtain
sensitive information by reading the header contents.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3153

References
==========
http://curl.haxx.se/docs/adv_20150422A.html
http://curl.haxx.se/docs/adv_20150422D.html
http://curl.haxx.se/docs/adv_20150422C.html
http://curl.haxx.se/docs/adv_20141105.html
http://curl.haxx.se/docs/adv_20150108B.html
http://curl.haxx.se/docs/adv_20150429.html

How to apply the patches
=======================
- - Preparation
Make sure that you have an installation of Enea Linux and have
applied the existing patches in the right order

wget https://linux.enea.com/5.0-beta-m400/\
Enea-Linux-5.0-beta-m400.tar.gz
tar zxf Enea-Linux-5.0-beta-m400.tar.gz
cd Enea-Linux-5.0-beta-m400/poky
<Fetch and apply the existing patches >

 - Fetch, verify and apply the new patch
wget
https://linux.enea.com/5.0-beta-m400/patches/0025-curl-several-security-
fixes.patch
wget
https://linux.enea.com/5.0-beta-m400/patches/0025-curl-several-security-
fixes.patch.sig
gpg --verify 0025-curl-several-security-fixes.patch.sig
patch -p1 < ./0025-curl-several-security-fixes.patch


If you have any questions regarding the security patches and security
updates please contact security at enea.com.

Enea Security Team
Sona Sarmadi
Mobile: +46 70 971 4475
www.enea.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJVw7M3AAoJEHc+9u9ocWoUd/UP/0KhkXxHdBglPGphe+eP+pZj
ZK4+8HpsjU7edFUAC9+x7JuKFtdeAw91TwZiQGSc5nmr7194Tz8Yn5ow+LKbwbC3
2j1qrTqeMKS28RdBiROnzdWgd0w1DwcCbf1WHp4Q2nMVErwYRhKxCzobaoA+LLBp
lKonwV3b0L46FPPDhb+ere5bDQuC3Rx4JI5Nqozc603k/3/jm3g6copDc7znXJnF
goSIT8O1BZYAlO4ucEbbcy3TTmfS5A6Dkm9YpFUeuNXLuLe8EVFtTw2yR/+5Pu5s
vCVubayjAHUJ8m3v7FDzSm3wGgKZb8oI8dQQSkxpL7E8GICKmBI+htXlfHt1O/AA
dllHVpj0VvgkPlDiEGVDr1zr7To5idwt1Up3zspXYDUQwYKkxAzHXRcxblMYiAdj
Z2GASHuSXto6Soe21GPUrZIucrFpN8X4ULyDqmIbLWbXOsYUkpqQrW7Jlq0VB62A
LwapVfmoK97FqB1B4ZFQvAHjfwjQzd/yWXltKb8MvtIENJ9DnOJNbMxAqzCoNwan
dVsatKv53eKXW299xXCaafwGeoB0RtM0Tnhxda5SSaPc3sivc1SvHgwOStl/H95U
TfmIj8TgY2Kee99WgfuTDhSUHjQwRXN70jQtut6hnkyeyh6yn88j3ZA3W6qZZF4R
R2bqqmrrTW+hOErkSpVq
=FITK
-----END PGP SIGNATURE-----



More information about the security-announce mailing list