Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Hi Release Team I would like to upload curl/7.26.0-1+wheezy2 via t-p-u fixing #705274 (CVE-2013-1944). Attached is the prepared debdiff for this. In case you wonder why not Alessandro did the uploads: Alessandro contacted comaintainers and security team if we can do the uploads. Does it looks also okay to you? Can I proceed with the upload for wheezy-proposed-updates? (would you prefer testing-proposed-updates instead?) unblock curl/7.26.0-1+wheezy2 Many thanks for your work for the release! Regards, Salvatore
diff -Nru curl-7.26.0/debian/changelog curl-7.26.0/debian/changelog --- curl-7.26.0/debian/changelog 2013-02-10 19:15:35.000000000 +0100 +++ curl-7.26.0/debian/changelog 2013-04-13 11:52:34.000000000 +0200 @@ -1,3 +1,15 @@ +curl (7.26.0-1+wheezy2) wheezy-proposed-updates; urgency=high + + [ Alessandro Ghedini ] + * Fix cookie domain tailmatch as per CVE-2013-1944 + http://curl.haxx.se/docs/adv_20130412.html (Closes: #705274) + * Set urgency=high accordingly + + [ Salvatore Bonaccorso ] + * Add testcase for CVE-2013-1944 + + -- Alessandro Ghedini <gh...@debian.org> Wed, 10 Apr 2013 22:56:48 +0200 + curl (7.26.0-1+wheezy1) testing-proposed-updates; urgency=high * Fix buffer overflow when negotiating SMTP DIGEST-MD5 authentication diff -Nru curl-7.26.0/debian/patches/06_curl-tailmatch-CVE-2013-1944.patch curl-7.26.0/debian/patches/06_curl-tailmatch-CVE-2013-1944.patch --- curl-7.26.0/debian/patches/06_curl-tailmatch-CVE-2013-1944.patch 1970-01-01 01:00:00.000000000 +0100 +++ curl-7.26.0/debian/patches/06_curl-tailmatch-CVE-2013-1944.patch 2013-04-13 11:52:34.000000000 +0200 @@ -0,0 +1,51 @@ +From 5b1bca89609f67fcd27cea0e9f382c8c1caad041 Mon Sep 17 00:00:00 2001 +From: YAMADA Yasuharu <yasuharu.yam...@access-company.com> +Date: Wed, 10 Apr 2013 11:22:09 +0200 +Subject: [PATCH] cookie: fix tailmatching to prevent cross-domain leakage + +Cookies set for 'example.com' could accidentaly also be sent by libcurl +to the 'bexample.com' (ie with a prefix to the first domain name). + + lib/cookie.c | 24 +++++++++++++++++++----- + 2 files changed, 21 insertions(+), 6 deletions(-) + +diff --git a/lib/cookie.c b/lib/cookie.c +index 4b9ec0b..a67204e 100644 +--- a/lib/cookie.c ++++ b/lib/cookie.c +@@ -118,15 +118,29 @@ static void freecookie(struct Cookie *co) + free(co); + } + +-static bool tailmatch(const char *little, const char *bigone) ++static bool tailmatch(const char *cooke_domain, const char *hostname) + { +- size_t littlelen = strlen(little); +- size_t biglen = strlen(bigone); ++ size_t cookie_domain_len = strlen(cooke_domain); ++ size_t hostname_len = strlen(hostname); + +- if(littlelen > biglen) ++ if(hostname_len < cookie_domain_len) + return FALSE; + +- return Curl_raw_equal(little, bigone+biglen-littlelen) ? TRUE : FALSE; ++ if(!Curl_raw_equal(cooke_domain, hostname+hostname_len-cookie_domain_len)) ++ return FALSE; ++ ++ /* A lead char of cookie_domain is not '.'. ++ RFC6265 4.1.2.3. The Domain Attribute says: ++ For example, if the value of the Domain attribute is ++ "example.com", the user agent will include the cookie in the Cookie ++ header when making HTTP requests to example.com, www.example.com, and ++ www.corp.example.com. ++ */ ++ if(hostname_len == cookie_domain_len) ++ return TRUE; ++ if('.' == *(hostname + hostname_len - cookie_domain_len - 1)) ++ return TRUE; ++ return FALSE; + } + + /* + diff -Nru curl-7.26.0/debian/patches/07_test1218-another-cookie-tailmatch-test.patch curl-7.26.0/debian/patches/07_test1218-another-cookie-tailmatch-test.patch --- curl-7.26.0/debian/patches/07_test1218-another-cookie-tailmatch-test.patch 1970-01-01 01:00:00.000000000 +0100 +++ curl-7.26.0/debian/patches/07_test1218-another-cookie-tailmatch-test.patch 2013-04-13 11:52:34.000000000 +0200 @@ -0,0 +1,101 @@ +From 5c5e1a1cd206ad8feadaa83a37d0326ba45cf45d Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <dan...@haxx.se> +Date: Wed, 10 Apr 2013 13:40:36 +0200 +Subject: [PATCH] test1218: another cookie tailmatch test + +... and make 1216 also verify it with a file input + +These tests verify commit 3604fde3d3c9b0d, the fix for the "cookie +domain tailmatch" vulnerability. See +http://curl.haxx.se/docs/adv_20130412.html +--- + tests/data/Makefile.am | 2 +- + tests/data/test1216 | 3 ++- + tests/data/test1218 | 61 ++++++++++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 64 insertions(+), 2 deletions(-) + create mode 100644 tests/data/test1218 + +--- /dev/null ++++ b/tests/data/test1218 +@@ -0,0 +1,61 @@ ++<testcase> ++<info> ++<keywords> ++HTTP ++HTTP GET ++HTTP proxy ++cookies ++</keywords> ++</info> ++ ++# This test is very similar to 1216, only that it sets the cookies from the ++# first site instead of reading from a file ++<reply> ++<data> ++HTTP/1.1 200 OK ++Date: Tue, 25 Sep 2001 19:37:44 GMT ++Set-Cookie: domain=.example.fake; bug=fixed; ++Content-Length: 21 ++ ++This server says moo ++</data> ++</reply> ++ ++# Client-side ++<client> ++<server> ++http ++</server> ++ <name> ++HTTP cookies and domains with same prefix ++ </name> ++ <command> ++http://example.fake/c/1218 http://example.fake/c/1218 http://bexample.fake/c/1218 -b nonexisting -x %HOSTIP:%HTTPPORT ++</command> ++</client> ++ ++# Verify data after the test has been "shot" ++<verify> ++<strip> ++^User-Agent:.* ++</strip> ++<protocol> ++GET http://example.fake/c/1218 HTTP/1.1 ++Host: example.fake ++Accept: */* ++Proxy-Connection: Keep-Alive ++ ++GET http://example.fake/c/1218 HTTP/1.1 ++Host: example.fake ++Accept: */* ++Proxy-Connection: Keep-Alive ++Cookie: bug=fixed ++ ++GET http://bexample.fake/c/1218 HTTP/1.1 ++Host: bexample.fake ++Accept: */* ++Proxy-Connection: Keep-Alive ++ ++</protocol> ++</verify> ++</testcase> +--- a/tests/data/Makefile.am ++++ b/tests/data/Makefile.am +@@ -78,6 +78,7 @@ + test1126 test1127 test1128 test1129 test1130 test1131 \ + test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 \ + test1208 test1209 test1210 test1211 \ ++test1218 \ + test1220 \ + test1300 test1301 test1302 test1303 test1304 test1305 \ + test1306 test1307 test1308 test1309 test1310 test1311 test1312 test1313 \ +--- a/tests/data/Makefile.in ++++ b/tests/data/Makefile.in +@@ -337,6 +337,7 @@ + test1126 test1127 test1128 test1129 test1130 test1131 \ + test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 \ + test1208 test1209 test1210 test1211 \ ++test1218 \ + test1220 \ + test1300 test1301 test1302 test1303 test1304 test1305 \ + test1306 test1307 test1308 test1309 test1310 test1311 test1312 test1313 \ diff -Nru curl-7.26.0/debian/patches/series curl-7.26.0/debian/patches/series --- curl-7.26.0/debian/patches/series 2013-02-10 19:14:42.000000000 +0100 +++ curl-7.26.0/debian/patches/series 2013-04-13 11:52:34.000000000 +0200 @@ -3,6 +3,8 @@ 03_keep_symbols_compat.patch 04_workaround_as_needed_bug.patch 05_curl-sasl-CVE-2013-0249.patch +06_curl-tailmatch-CVE-2013-1944.patch +07_test1218-another-cookie-tailmatch-test.patch 90_gnutls.patch 99_nss.patch
