Bug 1138846 (CVE-2014-3620)

Summary: CVE-2014-3620 curl: cookies accepted for TLDs
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: kdudka, mmcallis, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: curl 7.38.0 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-09-15 12:04:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1140037, 1140038, 1140039    
Bug Blocks: 1136155    

Description Vincent Danen 2014-09-05 18:57:53 UTC 
Daniel Stenberg reported the following vulnerability in cURL that could cause libcurl-based HTTP clients to leak cookie information:

Cookies set for Top Level Domains (TLD)

   libcurl wrongly allows cookies to be set for TLDs, thus making them much
   broader then they are supposed to be allowed to. This can allow arbitrary
   sites to set cookies that then would get sent to a different and unrelated
   site or domain.

   INFO

   Cookie parsing and use is opt-in by applications and is not enabled by
   default.

   libcurl's cookie parser has no Public Suffix awareness, so apart from
   rejecting TLDs from being allowed it might still allow cookies for domains
   that are otherwise widely rejected by ordinary browsers. See
   https://publicsuffix.org/ for details.

Versions 7.31.0 and later are affected.  Earlier versions are not affected.

Information about how to enable cookies is available from http://curl.haxx.se/docs/http-cookies.html

Acknowledgements:

Red Hat would like to thank the cURL project for reporting these issues. Upstream acknowledges Tim Ruehsen as the original reporter.


Statement:

This issue did not affect the versions of curl as shipped with Red Hat Enterprise Linux 5, 6, or 7.
Comment 1 Tomas Hoger 2014-09-08 13:43:14 UTC 
(In reply to Vincent Danen from comment #0)
> Versions 7.31.0 and later are affected.  Earlier versions are not affected.

To be more specific, upstream identified the following commit as the one that introduced this issue and caused curl to accept cookies for TLDs:

https://github.com/bagder/curl/commit/85b9dc8023

This fix was also backported to curl version 7.29.0 as used in Fedora 19.  Hence all current Fedora releases are affected by this problem.

Red Hat Enterprise Linux 5, 6 and 7 are not affected, as noted above.
Comment 4 Murray McAllister 2014-09-10 08:29:04 UTC 
This issue is public now.

External References:

http://curl.haxx.se/docs/adv_20140910B.html
Comment 5 Murray McAllister 2014-09-10 08:35:42 UTC 
Created curl tracking bugs for this issue:

Affects: fedora-all [bug 1140039]
Comment 6 Murray McAllister 2014-09-10 08:35:45 UTC 
Created mingw-curl tracking bugs for this issue:

Affects: fedora-all [bug 1140037]
Affects: epel-7 [bug 1140038]
Comment 7 Fedora Update System 2014-09-14 03:27:25 UTC 
curl-7.32.0-13.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2014-09-23 04:26:08 UTC 
curl-7.37.0-7.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2014-10-08 19:03:39 UTC 
curl-7.29.0-23.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.