Public bug reported: libcurl's check to limit outgoing Cookier header field size is broken. The implementation in Jammy's libcurl4-7.81.0* was backported from a newer curl (as part of CVE-2022-32205) but that implementation is buggy and mistakenly checks against the entire outgoing request size, instead of the cookie header size.
Upstream curl has fixed this, and the (simple) fix should be backported to here too. For example, if someone has a big request header (very common with different authentication schemes like big JWT/bearer tokens or Kerberos/SPNEGO), curl will drop cookies even though the cookies are tiny. Here is curl's original fix for CVS-2022-32205: https://github.com/curl/curl/commit/48d7064a49148f03942380967da739dcde1cdc24 Here is the bugfix that correctly tracks the Cookie header size: https://github.com/curl/curl/commit/d40e5cc9a3c7c5ba88523be0272f842ca8672357 ** Affects: curl (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2118865 Title: libcurl outgoing Cookie header field size check is broken To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/curl/+bug/2118865/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
