This bug was fixed in the package curl - 7.81.0-1ubuntu1.21
---------------
curl (7.81.0-1ubuntu1.21) jammy-security; urgency=medium
* SECURITY REGRESSION: incorrect Cookie header field size check
(LP: #2118865)
- debian/patches/CVE-2022-32205-2.patch: rectify the field size check
in lib/http.c.
-- Marc Deslauriers <[email protected]> Tue, 23 Sep 2025
07:24:37 -0400
** Changed in: curl (Ubuntu Jammy)
Status: In Progress => Fix Released
** CVE added: https://cve.org/CVERecord?id=CVE-2022-32205
--
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to curl in Ubuntu.
https://bugs.launchpad.net/bugs/2118865
Title:
libcurl outgoing Cookie header field size check is broken
Status in curl package in Ubuntu:
Fix Released
Status in curl source package in Jammy:
Fix Released
Bug description:
libcurl's check to limit outgoing Cookier header field size is broken.
The implementation in Jammy's libcurl4-7.81.0* was backported from a
newer curl (as part of CVE-2022-32205) but that implementation is
buggy and mistakenly checks against the entire outgoing request size,
instead of the cookie header size.
Upstream curl has fixed this, and the (simple) fix should be
backported to here too.
For example, if someone has a big request header (very common with
different authentication schemes like big JWT/bearer tokens or
Kerberos/SPNEGO), curl will drop cookies even though the cookies are
tiny.
Here is curl's original fix for CVE-2022-32205:
https://github.com/curl/curl/commit/48d7064a49148f03942380967da739dcde1cdc24
Here is the bugfix that correctly tracks the Cookie header size:
https://github.com/curl/curl/commit/d40e5cc9a3c7c5ba88523be0272f842ca8672357
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/curl/+bug/2118865/+subscriptions
--
Mailing list: https://launchpad.net/~debcrafters-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~debcrafters-packages
More help : https://help.launchpad.net/ListHelp
