Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: [email protected] Control: affects -1 + src:curl User: [email protected] Usertags: pu
[ Reason ] The curl package version in Debian Bookworm suffers from a minor CVE: [1]: https://security-tracker.debian.org/tracker/CVE-2025-9086 The updated package version contains the backported upstream patch to close the vulnerability. [ Impact ] If the update is not approved, all curl installations on Debian Bookworm machines will remain vulnerable to the exploit: CVE-2025-9086 allows for an out-of-bound read for the cookie path. [ Tests ] All upstream tests are run as part of the existing autopkgtest suite and pass. [ Risks ] Errors in backporting the patch such that it doesn't close the vulnerability or introduces regressions which are not caught by the upstream tests. The cookie handling patch with the fix for [CVE-2025-9086][1] had to be backported: https://salsa.debian.org/debian/curl/-/merge_requests/56/diffs?commit_id=4c5cbbd195f2440eb3a15c4ce19bbb9b7c1707eb [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] * Backported patch to not drop trailing slash in cookie path if that is its only component. [ Other info ] The fix for [CVE-2025-9086][1] has been [patched in a Trixie proposed-updates request already][2], where the upstream patch applied cleanly, however. [2]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1120262
diff -Nru curl-7.88.1/debian/changelog curl-7.88.1/debian/changelog --- curl-7.88.1/debian/changelog 2025-07-19 21:04:59.000000000 +0200 +++ curl-7.88.1/debian/changelog 2025-09-27 19:16:29.000000000 +0200 @@ -1,3 +1,11 @@ +curl (7.88.1-10+deb12u15) UNRELEASED; urgency=medium + + * Team upload. + * Backport upstream patch for CVE-2025-9086 + - cookie: don't treat the leading slash as trailing + + -- Alex <[email protected]> Sat, 27 Sep 2025 19:16:29 +0200 + curl (7.88.1-10+deb12u14) bookworm; urgency=medium * d/p/0001-http_chunks-reset...: New patch to fix memory leak: diff -Nru curl-7.88.1/debian/patches/CVE-2025-9086.patch curl-7.88.1/debian/patches/CVE-2025-9086.patch --- curl-7.88.1/debian/patches/CVE-2025-9086.patch 1970-01-01 01:00:00.000000000 +0100 +++ curl-7.88.1/debian/patches/CVE-2025-9086.patch 2025-09-27 19:16:29.000000000 +0200 @@ -0,0 +1,56 @@ +From c6ae07c6a541e0e96d0040afb62b45dd37711300 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <[email protected]> +Date: Mon, 11 Aug 2025 20:23:05 +0200 +Subject: [PATCH] cookie: don't treat the leading slash as trailing + +If there is only a leading slash in the path, keep that. Also add an +assert to make sure the path is never blank. + +Reported-by: Google Big Sleep +Closes #18266 + +Backported-By: Alex <[email protected]> + +Changes: +* Refresh patch context for lib/cookie.c + +--- + lib/cookie.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/lib/cookie.c b/lib/cookie.c +index c825a6b..5fdaf60 100644 +--- a/lib/cookie.c ++++ b/lib/cookie.c +@@ -313,8 +313,8 @@ static char *sanitize_cookie_path(const char *cookie_path) + return new_path; + } + +- /* convert /hoge/ to /hoge */ +- if(len && new_path[len - 1] == '/') { ++ /* remove trailing slash when path is non-empty */ ++ if(len > 1 && new_path[len - 1] == '/') { + new_path[len - 1] = 0x0; + } + +@@ -1091,7 +1091,7 @@ Curl_cookie_add(struct Curl_easy *data, + clist->spath && co->spath && /* both have paths */ + clist->secure && !co->secure && !secure) { + size_t cllen; +- const char *sep; ++ const char *sep = NULL; + + /* + * A non-secure cookie may not overlay an existing secure cookie. +@@ -1100,8 +1100,9 @@ Curl_cookie_add(struct Curl_easy *data, + * "/loginhelper" is ok. + */ + +- sep = strchr(clist->spath + 1, '/'); +- ++ DEBUGASSERT(clist->spath[0]); ++ if(clist->spath[0]) ++ sep = strchr(clist->spath + 1, '/'); + if(sep) + cllen = sep - clist->spath; + else diff -Nru curl-7.88.1/debian/patches/series curl-7.88.1/debian/patches/series --- curl-7.88.1/debian/patches/series 2025-07-19 21:04:59.000000000 +0200 +++ curl-7.88.1/debian/patches/series 2025-09-27 19:16:29.000000000 +0200 @@ -62,6 +62,9 @@ # Patches from 8.12.0. CVE-2025-0167.patch +# Patches from 8.16.0 +CVE-2025-9086.patch + # Fix test issues with port clashes, now each build has a different random seed. runtests.pl-Increase-variance-of-random-seed-used-for-tes.patch
signature.asc
Description: PGP signature
