Hi, I intent to upload a 0-day NMU for this in order to get this fixed synchronized with the oldstable and stable DSAs. A debdiff is attached and archived on: http://people.debian.org/~nion/nmu-diff/curl-7.18.2-8_7.18.2-8.1.patch
Cheers Nico -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
diff -u curl-7.18.2/debian/changelog curl-7.18.2/debian/changelog
--- curl-7.18.2/debian/changelog
+++ curl-7.18.2/debian/changelog
@@ -1,3 +1,15 @@
+curl (7.18.2-8.1) unstable; urgency=high
+
+ * Non-maintainer upload by the security team.
+ * Include upstream patch to prevent overwriting and reading arbitrary
+ local files or command execution via malicious redirects depending on
+ the setup curl is used in.
+ NOTE: This update introduces a new option called CURLOPT_REDIR_PROTOCOLS
+ which includes the protocols curl will follow on redirects, scp and file
+ are not included by default (CVE-2009-0037; Closes: #518423).
+
+ -- Nico Golde <n...@debian.org> Wed, 11 Mar 2009 15:33:08 +0100
+
curl (7.18.2-8) unstable; urgency=low
* Fix "Please add support for ldap/ldaps protocols"
diff -u curl-7.18.2/debian/patches/series curl-7.18.2/debian/patches/series
--- curl-7.18.2/debian/patches/series
+++ curl-7.18.2/debian/patches/series
@@ -6,2 +6,3 @@
gnutls
+CVE-2009-0037
only in patch2:
unchanged:
--- curl-7.18.2.orig/debian/patches/CVE-2009-0037
+++ curl-7.18.2/debian/patches/CVE-2009-0037
@@ -0,0 +1,217 @@
+Only in curl-7.18.2-protpatched: debug
+diff -X curl/diff-exclude -ru curl-7.18.2/docs/libcurl/curl_easy_setopt.3 curl-7.18.2-protpatched/docs/libcurl/curl_easy_setopt.3
+--- curl-7.18.2/docs/libcurl/curl_easy_setopt.3 2008-05-24 13:19:51.000000000 +0200
++++ curl-7.18.2-protpatched/docs/libcurl/curl_easy_setopt.3 2009-03-08 00:26:20.000000000 +0100
+@@ -438,6 +438,26 @@
+
+ \fICURLOPT_URL\fP is the only option that \fBmust\fP be set before
+ \fIcurl_easy_perform(3)\fP is called.
++
++\fICURLOPT_PROTOCOLS\fP can be used to limit what protocols libcurl will use
++for this transfer, independent of what libcurl has been compiled to
++support. That may be useful if you accept the URL from an external source and
++want to limit the accessibility.
++.IP CURLOPT_PROTOCOLS
++Pass a long that holds a bitmask of CURLPROTO_* defines. If used, this bitmask
++limits what protocols libcurl may use in the transfer. This allows you to have
++a libcurl built to support a wide range of protocols but still limit specific
++transfers to only be allowed to use a subset of them. By default libcurl will
++accept all protocols it supports. See also
++\fICURLOPT_REDIR_PROTOCOLS\fP. (Added in 7.19.4)
++.IP CURLOPT_REDIR_PROTOCOLS
++Pass a long that holds a bitmask of CURLPROTO_* defines. If used, this bitmask
++limits what protocols libcurl may use in a transfer that it follows to in a
++redirect when \fICURLOPT_FOLLOWLOCATION\fP is enabled. This allows you to
++limit specific transfers to only be allowed to use a subset of protocols in
++redirections. By default libcurl will allow all protocols except for FILE and
++SCP. This is a difference compared to pre-7.19.4 versions which
++unconditionally would follow to all protocols supported. (Added in 7.19.4)
+ .IP CURLOPT_PROXY
+ Set HTTP proxy to use. The parameter should be a char * to a zero terminated
+ string holding the host name or dotted IP address. To specify port number in
+@@ -677,6 +697,10 @@
+ and follow new Location: headers all the way until no more such headers are
+ returned. \fICURLOPT_MAXREDIRS\fP can be used to limit the number of redirects
+ libcurl will follow.
++
++NOTE: since 7.19.4, libcurl can limit to what protocols it will automatically
++follow. The accepted protocols are set with \fICURLOPT_REDIR_PROTOCOLS\fP and
++it excludes the FILE protocol by default.
+ .IP CURLOPT_UNRESTRICTED_AUTH
+ A non-zero parameter tells the library it can continue to send authentication
+ (user+password) when following locations, even when hostname changed. This
+diff -X curl/diff-exclude -ru curl-7.18.2/include/curl/curl.h curl-7.18.2-protpatched/include/curl/curl.h
+--- curl-7.18.2/include/curl/curl.h 2008-06-04 17:36:10.000000000 +0200
++++ curl-7.18.2-protpatched/include/curl/curl.h 2009-03-08 00:26:20.000000000 +0100
+@@ -592,6 +592,21 @@
+ CURLFTPMETHOD_LAST /* not an option, never use */
+ } curl_ftpmethod;
+
++/* CURLPROTO_ defines are for the CURLOPT_*PROTOCOLS options */
++#define CURLPROTO_HTTP (1<<0)
++#define CURLPROTO_HTTPS (1<<1)
++#define CURLPROTO_FTP (1<<2)
++#define CURLPROTO_FTPS (1<<3)
++#define CURLPROTO_SCP (1<<4)
++#define CURLPROTO_SFTP (1<<5)
++#define CURLPROTO_TELNET (1<<6)
++#define CURLPROTO_LDAP (1<<7)
++#define CURLPROTO_LDAPS (1<<8)
++#define CURLPROTO_DICT (1<<9)
++#define CURLPROTO_FILE (1<<10)
++#define CURLPROTO_TFTP (1<<11)
++#define CURLPROTO_ALL (~0) /* enable everything */
++
+ /* long may be 32 or 64 bits, but we should never depend on anything else
+ but 32 */
+ #define CURLOPTTYPE_LONG 0
+@@ -1200,6 +1215,18 @@
+ CINIT(SEEKFUNCTION, FUNCTIONPOINT, 167),
+ CINIT(SEEKDATA, OBJECTPOINT, 168),
+
++ /* set the bitmask for the protocols that are allowed to be used for the
++ transfer, which thus helps the app which takes URLs from users or other
++ external inputs and want to restrict what protocol(s) to deal
++ with. Defaults to CURLPROTO_ALL. */
++ CINIT(PROTOCOLS, LONG, 181),
++
++ /* set the bitmask for the protocols that libcurl is allowed to follow to,
++ as a subset of the CURLOPT_PROTOCOLS ones. That means the protocol needs
++ to be set in both bitmasks to be allowed to get redirected to. Defaults
++ to CURLPROTO_ALL & ~CURLPROTO_FILE. */
++ CINIT(REDIR_PROTOCOLS, LONG, 182),
++
+ CURLOPT_LASTENTRY /* the last unused */
+ } CURLoption;
+
+diff -X curl/diff-exclude -ru curl-7.18.2/lib/easy.c curl-7.18.2-protpatched/lib/easy.c
+--- curl-7.18.2/lib/easy.c 2008-05-12 23:43:29.000000000 +0200
++++ curl-7.18.2-protpatched/lib/easy.c 2009-03-08 00:26:20.000000000 +0100
+@@ -767,6 +767,13 @@
+ type */
+ data->set.new_file_perms = 0644; /* Default permissions */
+ data->set.new_directory_perms = 0755; /* Default permissions */
++
++ /* for the *protocols fields we don't use the CURLPROTO_ALL convenience
++ define since we internally only use the lower 16 bits for the passed
++ in bitmask to not conflict with the private bits */
++ data->set.allowed_protocols = PROT_EXTMASK;
++ data->set.redir_protocols =
++ PROT_EXTMASK & ~(CURLPROTO_FILE|CURLPROTO_SCP); /* not FILE or SCP */
+ }
+
+ /*
+diff -X curl/diff-exclude -ru curl-7.18.2/lib/url.c curl-7.18.2-protpatched/lib/url.c
+--- curl-7.18.2/lib/url.c 2008-04-30 23:20:09.000000000 +0200
++++ curl-7.18.2-protpatched/lib/url.c 2009-03-08 00:26:20.000000000 +0100
+@@ -738,6 +738,13 @@
+ data->set.new_file_perms = 0644; /* Default permissions */
+ data->set.new_directory_perms = 0755; /* Default permissions */
+
++ /* for the *protocols fields we don't use the CURLPROTO_ALL convenience
++ define since we internally only use the lower 16 bits for the passed
++ in bitmask to not conflict with the private bits */
++ data->set.allowed_protocols = PROT_EXTMASK;
++ data->set.redir_protocols =
++ PROT_EXTMASK & ~(CURLPROTO_FILE|CURLPROTO_SCP); /* not FILE or SCP */
++
+ /* most recent connection is not yet defined */
+ data->state.lastconnect = -1;
+
+@@ -2083,6 +2090,22 @@
+ }
+ break;
+
++ case CURLOPT_PROTOCOLS:
++ /* set the bitmask for the protocols that are allowed to be used for the
++ transfer, which thus helps the app which takes URLs from users or other
++ external inputs and want to restrict what protocol(s) to deal
++ with. Defaults to CURLPROTO_ALL. */
++ data->set.allowed_protocols = va_arg(param, long) & PROT_EXTMASK;
++ break;
++
++ case CURLOPT_REDIR_PROTOCOLS:
++ /* set the bitmask for the protocols that libcurl is allowed to follow to,
++ as a subset of the CURLOPT_PROTOCOLS ones. That means the protocol needs
++ to be set in both bitmasks to be allowed to get redirected to. Defaults
++ to CURLPROTO_ALL & ~CURLPROTO_FILE. */
++ data->set.redir_protocols = va_arg(param, long) & PROT_EXTMASK;
++ break;
++
+ default:
+ /* unknown tag and its companion, just ignore: */
+ result = CURLE_FAILED_INIT; /* correct this */
+@@ -3136,7 +3159,19 @@
+
+ for (pp = protocols; (p = *pp) != NULL; pp++)
+ if(strequal(p->scheme, conn->protostr)) {
+- /* Protocol found in table. Perform setup complement if some. */
++ /* Protocol found in table. Check if allowed */
++ if(!(data->set.allowed_protocols & p->protocol))
++ /* nope, get out */
++ break;
++
++ /* it is allowed for "normal" request, now do an extra check if this is
++ the result of a redirect */
++ if(data->state.this_is_a_follow &&
++ !(data->set.redir_protocols & p->protocol))
++ /* nope, get out */
++ break;
++
++ /* Perform setup complement if some. */
+ conn->handler = p;
+
+ if(p->setup_connection) {
+diff -X curl/diff-exclude -ru curl-7.18.2/lib/urldata.h curl-7.18.2-protpatched/lib/urldata.h
+--- curl-7.18.2/lib/urldata.h 2008-04-30 23:20:09.000000000 +0200
++++ curl-7.18.2-protpatched/lib/urldata.h 2009-03-08 00:26:20.000000000 +0100
+@@ -865,19 +865,26 @@
+ long connectindex; /* what index in the connection cache connects index this
+ particular struct has */
+ long protocol; /* PROT_* flags concerning the protocol set */
+-#define PROT_MISSING (1<<0)
+-#define PROT_HTTP (1<<2)
+-#define PROT_HTTPS (1<<3)
+-#define PROT_FTP (1<<4)
+-#define PROT_TELNET (1<<5)
+-#define PROT_DICT (1<<6)
+-#define PROT_LDAP (1<<7)
+-#define PROT_FILE (1<<8)
+-#define PROT_FTPS (1<<9)
+-#define PROT_SSL (1<<10) /* protocol requires SSL */
+-#define PROT_TFTP (1<<11)
+-#define PROT_SCP (1<<12)
+-#define PROT_SFTP (1<<13)
++#define PROT_HTTP CURLPROTO_HTTP
++#define PROT_HTTPS CURLPROTO_HTTPS
++#define PROT_FTP CURLPROTO_FTP
++#define PROT_TELNET CURLPROTO_TELNET
++#define PROT_DICT CURLPROTO_DICT
++#define PROT_LDAP CURLPROTO_LDAP
++#define PROT_FILE CURLPROTO_FILE
++#define PROT_FTPS CURLPROTO_FTPS
++#define PROT_TFTP CURLPROTO_TFTP
++#define PROT_SCP CURLPROTO_SCP
++#define PROT_SFTP CURLPROTO_SFTP
++
++/* CURLPROTO_TFTP (1<<11) is currently the highest used bit in the public
++ bitmask. We make sure we use "private bits" above the first 16 to make
++ things easier. */
++
++#define PROT_EXTMASK 0xffff
++
++#define PROT_SSL (1<<22) /* protocol requires SSL */
++#define PROT_MISSING (1<<23)
+
+ #define PROT_CLOSEACTION PROT_FTP /* these ones need action before socket
+ close */
+@@ -1467,6 +1474,8 @@
+ bool proxy_transfer_mode; /* set transfer mode (;type=<a|i>) when doing FTP
+ via an HTTP proxy */
+ char *str[STRING_LAST]; /* array of strings, pointing to allocated memory */
++ long allowed_protocols;
++ long redir_protocols;
+ };
+
+ struct Names {
+Only in curl-7.18.2-protpatched/src: curl
pgpw1lIU0Dx1Z.pgp
Description: PGP signature
