Bug 773457 (CVE-2012-0036)

Summary: CVE-2012-0036 curl: URL sanitization vulnerability
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: jlieskov, kdudka, prc, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20120124,reported=20120107,source=vendor-sec,cvss2=5.8/AV:N/AC:M/Au:N/C:P/I:P/A:N,fedora-all/curl=affected,rhel-6/curl=notaffected,rhel-5/curl=notaffected,rhel-4/curl=notaffected,fedora-all/mingw32-curl=affected,epel-5/mingw32-curl=affected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-01-15 19:44:35 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 784226, 784227, 784228    
Bug Blocks: 773461    
Description Flags
proposed upstream patch
proposed upstream patch none

Description Vincent Danen 2012-01-11 16:22:38 EST
A flaw was found in the way that curl sanitized URLs.  The upstream advisory [1] reports:

   libcurl is vulnerable to a data injection attack for certain protocols
   through control characters embedded or percent-encoded in URLs.

   When parsing URLs, libcurl's parser is very laxed and liberal and only
   parses as little as possible and lets as much as possible through as long as
   it can figure out what to do.

   In the specific process when libcurl extracts the file path part from a
   given URL, it didn't always verify the data or escape control characters
   properly before it passed the file path on to the protocol-specific code
   that then would use it for its protocol business.

   This passing through of control characters could be exploited by someone who
   would be able to pass in a handicrafted URL to libcurl. Lots of libcurl
   using applications let users enter URLs in one form or another and not all
   of these check the input carefully to prevent malicious ones.

   A malicious user might pass in %0d%0a to get treated as CR LF by libcurl,
   and by using this fact a user can trick for example a POP3 client to delete
   a message instead of getting it or trick an SMTP server to send an
   unintended message.

   This vulnerability can be used to fool libcurl with the following protocols:
   IMAP, POP3 and SMTP.
                                                                                                                                                                                    There is no known exploit for this problem.

This flaw only affects curl versions 7.20.0 up to and including 7.23.1  It is corrected in 7.24.0 by scanning for a range of "bad codes" in the path part of URLs so that they are rejected before any protocol code even can consider using them.

This flaw has been assigned the name CVE-2012-0036.

[1] http://curl.haxx.se/docs/security.html


Not vulnerable. This issue did not affect the versions of curl as shipped with Red Hat Enterprise Linux 4, 5 or 6.
Comment 1 Vincent Danen 2012-01-11 16:28:07 EST
Created attachment 552243 [details]
proposed upstream patch
Comment 3 Vincent Danen 2012-01-20 18:19:02 EST
Created attachment 556625 [details]
proposed upstream patch

Updated version of upstream's patch.
Comment 4 Jan Lieskovsky 2012-01-24 04:37:38 EST
Upstream security page describing this issue:
[2] http://curl.haxx.se/docs/security.html

Particular CVE-2012-0036 dedicated advisory from upstream:
[3] http://curl.haxx.se/docs/adv_20120124.html

Final version of upstream patch:
[4] http://curl.haxx.se/curl-url-sanitize.patch
Comment 5 Jan Lieskovsky 2012-01-24 05:56:05 EST
Created mingw32-curl tracking bugs for this issue

Affects: fedora-all [bug 784227]
Affects: epel-5 [bug 784228]
Comment 6 Jan Lieskovsky 2012-01-24 05:56:09 EST
Created curl tracking bugs for this issue

Affects: fedora-all [bug 784226]
Comment 7 Kamil Dudka 2012-01-24 07:03:00 EST
upstream commit:

Comment 8 Jan Lieskovsky 2012-01-25 04:13:13 EST

Red Hat would like to thank the cURL project for reporting this issue.
Upstream acknowledges Dan Fandrich as the original reporter.
Comment 9 Fedora Update System 2012-01-27 22:31:01 EST
curl-7.21.7-6.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2012-02-11 17:04:51 EST
curl-7.21.3-13.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.