Bug 642642 (CVE-2010-3842)

Summary: CVE-2010-3842 mingw32-curl: Did not strip directory parts separated by backslashes, when downloading files
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: erik-fedora
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-10-13 18:16:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 642649    
Bug Blocks:    

Description Jan Lieskovsky 2010-10-13 13:40:51 UTC 
cURL did not properly cut off directory parts from user provided
file name to be downloaded on operating systems, where backslashes
are used to separate directories and file names. This could allow
remote servers to create or overwrite files via a Content-Disposition
header that suggests a crafted filename, and possibly execute arbitrary
code as a consequence of writing to a certain file in a user's home
directory. Different vulnerability than CVE-2010-2251, CVE-2010-2252
and CVE-2010-2253.

Note: As already mentioned in [2]. This flaw only affected those
      operating systems, where backslash is used to separate directories
      and file names, thus Microsoft Windows, Novell Netware, MSDOS, OS/2
      and Symbian to mention some of them.

References:
[1] http://curl.haxx.se/docs/security.html
[2] http://curl.haxx.se/docs/adv_20101013.html

Upstream patch:
[3] http://curl.haxx.se/curl-content-disposition.patch

Credit: Upstream acknowledges Dan Fandrich as the original reporter.
Comment 1 Jan Lieskovsky 2010-10-13 13:48:08 UTC 
CVE Request:
[4] http://www.openwall.com/lists/oss-security/2010/10/13/1
Comment 2 Jan Lieskovsky 2010-10-13 13:49:09 UTC 
This issue affects the versions of the mingw32-curl package, as shipped
with Fedora release of 12 and 13.

Please fix.
Comment 3 Jan Lieskovsky 2010-10-13 13:51:37 UTC 
Created mingw32-curl tracking bugs for this issue

Affects: fedora-all [bug 642649]
Comment 4 Erik van Pienbroek 2010-10-13 13:53:28 UTC 
The mingw32-curl package in all branches is NOT affected by this security issue. As mentioned on [2]:

  This error is only present in the curl command line tool, it is NOT a
  problem of the library libcurl.

The curl command line tool isn't bundled in the mingw32-curl package hence the package shouldn't be affected
Comment 5 Jan Lieskovsky 2010-10-13 18:16:49 UTC 
Thanks for the clarification, Erik (searched only through the source code,
so didn't realize it is possible, the final tool is not bundled in the
final binary).

Closing this bug.
Comment 6 Jan Lieskovsky 2010-10-16 10:50:27 UTC 
The CVE identifier of CVE-2010-3842 has been assigned to the cURL issue,
on native systems, which use backslash as directory part / filename part
delimiter.