Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package curl, it provides a patch for CVE-2014-8150. See attached debdiff. unblock curl/7.38.0-4 -- System Information: Debian Release: 8.0 APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
diff -Nru curl-7.38.0/debian/changelog curl-7.38.0/debian/changelog --- curl-7.38.0/debian/changelog 2014-11-06 11:40:27.000000000 +0100 +++ curl-7.38.0/debian/changelog 2015-01-08 10:47:32.000000000 +0100 @@ -1,3 +1,11 @@ +curl (7.38.0-4) unstable; urgency=high + + * Fix URL request injection vulnerability as per CVE-2014-8150 + http://curl.haxx.se/docs/adv_20150108B.html + * Set urgency=high accordingly + + -- Alessandro Ghedini <gh...@debian.org> Thu, 08 Jan 2015 10:47:24 +0100 + curl (7.38.0-3) unstable; urgency=high * Enable all hardening options (Closes: #763372) diff -Nru curl-7.38.0/debian/patches/12_CVE-2014-8150.patch curl-7.38.0/debian/patches/12_CVE-2014-8150.patch --- curl-7.38.0/debian/patches/12_CVE-2014-8150.patch 1970-01-01 01:00:00.000000000 +0100 +++ curl-7.38.0/debian/patches/12_CVE-2014-8150.patch 2015-01-08 10:47:32.000000000 +0100 @@ -0,0 +1,27 @@ +From 4e2ac2afa94f014a2a015c48c678e2367a63ae82 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <dan...@haxx.se> +Date: Thu, 25 Dec 2014 23:55:03 +0100 +Subject: [PATCH] url-parsing: reject CRLFs within URLs + +Bug: http://curl.haxx.se/docs/adv_20150108B.html +Reported-by: Andrey Labunets +--- + lib/url.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/lib/url.c ++++ b/lib/url.c +@@ -3784,6 +3784,13 @@ + + *prot_missing = FALSE; + ++ /* We might pass the entire URL into the request so we need to make sure ++ * there are no bad characters in there.*/ ++ if(strpbrk(data->change.url, "\r\n")) { ++ failf(data, "Illegal characters found in URL"); ++ return CURLE_URL_MALFORMAT; ++ } ++ + /************************************************************* + * Parse the URL. + * diff -Nru curl-7.38.0/debian/patches/series curl-7.38.0/debian/patches/series --- curl-7.38.0/debian/patches/series 2014-11-06 11:40:27.000000000 +0100 +++ curl-7.38.0/debian/patches/series 2015-01-08 10:47:32.000000000 +0100 @@ -8,6 +8,7 @@ 09_libtoolize_check.patch 10_fix-resolver.patch 11_CVE-2014-3707.patch +12_CVE-2014-8150.patch # do not add patches below 90_gnutls.patch