|Summary:||CVE-2013-1944 curl: Cookie domain suffix match vulnerability|
|Product:||[Other] Security Response||Reporter:||Jan Lieskovsky <jlieskov>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||CLOSED ERRATA||QA Contact:|
|Version:||unspecified||CC:||hkario, jrusnack, kdudka, mjc, security-response-team|
|Fixed In Version:||curl 7.30.0||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2013-04-24 20:55:15 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Bug Depends On:||950934, 950935, 950937, 950941, 951417|
Description Jan Lieskovsky 2013-04-10 12:54:29 UTC
A security flaw was found in the way the library of cURL, an utility for retrieval of files from remote servers, performed match of cookie domain names when making a decision if (previously stored cookies) should be sent to particular domain. Due to a bug in match function implementation, (formerly) the decision / match succeeded also in cases, where just suffix / certain part of the domain name matched the domain name, the current request originated from. A remote attacker could use this flaw to possibly hijack the user session of the victim by submitting a request containing a specially-crafted domain name. References:  http://thread.gmane.org/gmane.comp.web.curl.library/38986 Acknowledgements: Red Hat would like to thank the cURL project for reporting this issue. Upstream acknowledges YAMADA Yasuharu as the original reporter.
Comment 3 Jan Lieskovsky 2013-04-10 13:09:30 UTC
This issue affects the versions of the curl package, as shipped with Red Hat Enterprise Linux 5 and 6. -- This issue affects the versions of the curl package, as shipped with Fedora release of 17 and 18.
Comment 6 Jan Lieskovsky 2013-04-11 08:22:44 UTC
The CVE identifier of CVE-2013-1944 has been assigned to this issue.
Comment 7 Jan Lieskovsky 2013-04-11 08:24:37 UTC
Proposed upstream patch is available at: http://curl.haxx.se/curl-tailmatch.patch
Comment 8 Jan Lieskovsky 2013-04-11 08:26:58 UTC
Created attachment 734032 [details] Local copy of proposed upstream patch
Comment 10 Jan Lieskovsky 2013-04-12 08:58:13 UTC
External References: http://curl.haxx.se/docs/adv_20130412.html
Comment 11 Jan Lieskovsky 2013-04-12 08:59:41 UTC
Created curl tracking bugs for this issue Affects: fedora-all [bug 951417]
Comment 12 Jan Lieskovsky 2013-04-12 09:03:11 UTC
Comment 16 Fedora Update System 2013-04-18 02:34:24 UTC
curl-7.27.0-8.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
Comment 17 Fedora Update System 2013-04-20 19:45:30 UTC
curl-7.29.0-5.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
Comment 18 errata-xmlrpc 2013-04-24 17:37:24 UTC
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Via RHSA-2013:0771 https://rhn.redhat.com/errata/RHSA-2013-0771.html
Comment 19 Fedora Update System 2013-05-01 04:23:56 UTC
curl-7.29.0-6.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
Comment 20 Fedora Update System 2013-05-06 03:49:02 UTC
curl-7.27.0-9.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.