Bug 950577 (CVE-2013-1944)

Summary: CVE-2013-1944 curl: Cookie domain suffix match vulnerability
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: hkario, jrusnack, kdudka, mjc, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20130412,reported=20130410,source=distros,cvss2=4.3/AV:N/AC:M/Au:N/C:N/I:P/A:N,rhel-5/curl=affected,rhel-6/curl=affected,fedora-all/curl=affected
Fixed In Version: curl 7.30.0 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-04-24 16:55:15 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On: 950934, 950935, 950937, 950941, 951417    
Bug Blocks: 950588    
Attachments:
Description Flags
Local copy of proposed upstream patch none

Description Jan Lieskovsky 2013-04-10 08:54:29 EDT
A security flaw was found in the way the library of cURL, an utility for retrieval of files from remote servers, performed match of cookie domain names when making a decision if (previously stored cookies) should be sent to particular domain. Due to a bug in match function implementation, (formerly) the decision / match succeeded also in cases, where just suffix / certain part of the domain name matched the domain name, the current request originated from. A remote attacker could use this flaw to possibly hijack the user session of the victim by submitting a request containing a specially-crafted domain name.

References:
[1] http://thread.gmane.org/gmane.comp.web.curl.library/38986

Acknowledgements:

Red Hat would like to thank the cURL project for reporting this issue. Upstream acknowledges YAMADA Yasuharu as the original reporter.
Comment 3 Jan Lieskovsky 2013-04-10 09:09:30 EDT
This issue affects the versions of the curl package, as shipped with Red Hat Enterprise Linux 5 and 6.

--

This issue affects the versions of the curl package, as shipped with Fedora release of 17 and 18.
Comment 6 Jan Lieskovsky 2013-04-11 04:22:44 EDT
The CVE identifier of CVE-2013-1944 has been assigned to this issue.
Comment 7 Jan Lieskovsky 2013-04-11 04:24:37 EDT
Proposed upstream patch is available at:
  http://curl.haxx.se/curl-tailmatch.patch
Comment 8 Jan Lieskovsky 2013-04-11 04:26:58 EDT
Created attachment 734032 [details]
Local copy of proposed upstream patch
Comment 10 Jan Lieskovsky 2013-04-12 04:58:13 EDT
External References:
http://curl.haxx.se/docs/adv_20130412.html
Comment 11 Jan Lieskovsky 2013-04-12 04:59:41 EDT
Created curl tracking bugs for this issue

Affects: fedora-all [bug 951417]
Comment 16 Fedora Update System 2013-04-17 22:34:24 EDT
curl-7.27.0-8.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 17 Fedora Update System 2013-04-20 15:45:30 EDT
curl-7.29.0-5.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 18 errata-xmlrpc 2013-04-24 13:37:24 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2013:0771 https://rhn.redhat.com/errata/RHSA-2013-0771.html
Comment 19 Fedora Update System 2013-05-01 00:23:56 EDT
curl-7.29.0-6.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 20 Fedora Update System 2013-05-05 23:49:02 EDT
curl-7.27.0-9.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.