Your message dated Fri, 23 Aug 2024 10:17:09 +0000
with message-id <e1shrlx-006uyg...@fasolo.debian.org>
and subject line Bug#1077656: fixed in curl 7.88.1-10+deb12u7
has caused the Debian Bug report #1077656,
regarding curl: CVE-2024-7264
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1077656: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1077656
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: curl
Version: 8.9.0-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for curl.
CVE-2024-7264[0]:
| libcurl's ASN1 parser code has the `GTime2str()` function, used for
| parsing an ASN.1 Generalized Time field. If given an syntactically
| incorrect field, the parser might end up using -1 for the length of
| the *time fraction*, leading to a `strlen()` getting performed on a
| pointer to a heap buffer area that is not (purposely) null
| terminated. This flaw most likely leads to a crash, but can also
| lead to heap contents getting returned to the application when [CURL
| INFO_CERTINFO](https://curl.se/libcurl/c/CURLINFO_CERTINFO.html) is
| used.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-7264
https://www.cve.org/CVERecord?id=CVE-2024-7264
[1] https://curl.se/docs/CVE-2024-7264.html
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: curl
Source-Version: 7.88.1-10+deb12u7
Done: Carlos Henrique Lima Melara <charlesmel...@riseup.net>
We believe that the bug you reported is fixed in the latest version of
curl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1077...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Carlos Henrique Lima Melara <charlesmel...@riseup.net> (supplier of updated
curl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 17 Aug 2024 14:06:29 -0300
Source: curl
Architecture: source
Version: 7.88.1-10+deb12u7
Distribution: bookworm
Urgency: medium
Maintainer: Alessandro Ghedini <gh...@debian.org>
Changed-By: Carlos Henrique Lima Melara <charlesmel...@riseup.net>
Closes: 1077656
Changes:
curl (7.88.1-10+deb12u7) bookworm; urgency=medium
.
* Team upload.
* debian/patches/CVE-2024-7264*: import and backport upstream patches to fix
CVE-2024-7264 - ASN.1 date parser overread. (Closes: #1077656)
Checksums-Sha1:
a96c9615e274e968ef52d5a29636375a32860925 3289 curl_7.88.1-10+deb12u7.dsc
dab34418474ba5a1f0d86f759b7987d6b200354b 70856
curl_7.88.1-10+deb12u7.debian.tar.xz
1e7a79a34b779e5404cc45b0489cbc66c98f551a 11490
curl_7.88.1-10+deb12u7_amd64.buildinfo
Checksums-Sha256:
dcacc507401f4c887f0dc9df3feefc32954b39fed3c2d2b8fb78e046d6be5a48 3289
curl_7.88.1-10+deb12u7.dsc
11633a404e33f9abfcb2a5f7883601df6bfc35e37b3d87dcb04f986f9cf94c8d 70856
curl_7.88.1-10+deb12u7.debian.tar.xz
84e232381a3b4c209bef48c2843c712c6b499debf20b80cb8edaa90fd992b836 11490
curl_7.88.1-10+deb12u7_amd64.buildinfo
Files:
1dbbf117ee864957a3b2341ad4c1e58e 3289 web optional curl_7.88.1-10+deb12u7.dsc
c54bc3525e786ca6354007be5e1231b2 70856 web optional
curl_7.88.1-10+deb12u7.debian.tar.xz
936c6dd67f7127867e391c36aed99674 11490 web optional
curl_7.88.1-10+deb12u7_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJNBAEBCgA3FiEECgzx8d8+AINglLHJt4M9ggJ8mQsFAmbH730ZHGNoYXJsZXNt
ZWxhcmFAcmlzZXVwLm5ldAAKCRC3gz2CAnyZC8RqD/9lEf8Sqfe0SfjrJEXAEnPi
ulrsfF34Bh9eXyw/6V9NEolehuFye31PFs5QHeGC3iCaRyl2RIFoTst4GIP/rKbY
AIU1hAYVEOazor5tWdMz7RQRMAP1DEOdmOevoSof6xaa+1cNclQAf1z60MxbaahP
K4ctuhpJAN57ajAsZLPfL/3t1BBw0dFV1LnmasXnJNkwDwsfMBKkSY+NccF5L/2w
EglU01xrngQmreYe0nUoK2Uh2ErPJuUBnUKVV2FeWhoyV6y8ddJtfrdSYQQSNPGF
2/Aeqv7Bjwba6s6y0Ojskp1A4UTUBcMw7HDLkcOAbMAJbGZrQSNWT084hZ/v6RjY
rzw+r4QY0ZvM0c/RPSVEw6KUCKRsQk1M6yHfTV5mewaMj1MEv/JAkV0NaTgakU4r
VkLLxTez8kUSqkDjpxLbzmqpW141V0/H8MiGJ7+i+pClh0Co4ZUBaq1xq1oJdnBi
7JO6rsnBf+Kg6OeRcCApvWLpe3iW/2Xmmh+B+11TiDAAWcxhxUQGJXehHVftokLx
U/iyG7MmQ1w4ZcVCPQu5oOJnP7viifZ5Fdde9Pecmr7WHp/ux6+mjwDo2FZ7BS89
7Cp+oNxYzhOH4FOo8YzLWZLBR8hOyU1yIskIMsca17dtC807kdEWG+0CZrDhtURK
iFTkgtenpnsrFItjV3T63Q==
=gZsy
-----END PGP SIGNATURE-----
pgpBGO052WHdv.pgp
Description: PGP signature
--- End Message ---
