Bug 950577 (CVE-2013-1944)

Summary: CVE-2013-1944 curl: Cookie domain suffix match vulnerability
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: hkario, jrusnack, kdudka, mjc, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: curl 7.30.0 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-04-24 20:55:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 950934, 950935, 950937, 950941, 951417    
Bug Blocks: 950588    
Attachments:
Description Flags
Local copy of proposed upstream patch none

Description Jan Lieskovsky 2013-04-10 12:54:29 UTC 
A security flaw was found in the way the library of cURL, an utility for retrieval of files from remote servers, performed match of cookie domain names when making a decision if (previously stored cookies) should be sent to particular domain. Due to a bug in match function implementation, (formerly) the decision / match succeeded also in cases, where just suffix / certain part of the domain name matched the domain name, the current request originated from. A remote attacker could use this flaw to possibly hijack the user session of the victim by submitting a request containing a specially-crafted domain name.

References:
[1] http://thread.gmane.org/gmane.comp.web.curl.library/38986

Acknowledgements:

Red Hat would like to thank the cURL project for reporting this issue. Upstream acknowledges YAMADA Yasuharu as the original reporter.
Comment 3 Jan Lieskovsky 2013-04-10 13:09:30 UTC 
This issue affects the versions of the curl package, as shipped with Red Hat Enterprise Linux 5 and 6.

--

This issue affects the versions of the curl package, as shipped with Fedora release of 17 and 18.
Comment 6 Jan Lieskovsky 2013-04-11 08:22:44 UTC 
The CVE identifier of CVE-2013-1944 has been assigned to this issue.
Comment 7 Jan Lieskovsky 2013-04-11 08:24:37 UTC 
Proposed upstream patch is available at:
  http://curl.haxx.se/curl-tailmatch.patch
Comment 8 Jan Lieskovsky 2013-04-11 08:26:58 UTC 
Created attachment 734032 [details]
Local copy of proposed upstream patch
Comment 10 Jan Lieskovsky 2013-04-12 08:58:13 UTC 
External References:
http://curl.haxx.se/docs/adv_20130412.html
Comment 11 Jan Lieskovsky 2013-04-12 08:59:41 UTC 
Created curl tracking bugs for this issue

Affects: fedora-all [bug 951417]
Comment 12 Jan Lieskovsky 2013-04-12 09:03:11 UTC 
Relevant upstream patch:
  https://github.com/bagder/curl/commit/2eb8dcf26cb37f09cffe26909a646e702dbcab66

Related test suite commits:
  https://github.com/bagder/curl/commit/5c5e1a1cd206ad8feadaa83a37d0326ba45cf45d
  https://github.com/bagder/curl/commit/11dee0bfae702c07b510dce05a55d1b8144fbbcb
Comment 16 Fedora Update System 2013-04-18 02:34:24 UTC 
curl-7.27.0-8.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 17 Fedora Update System 2013-04-20 19:45:30 UTC 
curl-7.29.0-5.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 18 errata-xmlrpc 2013-04-24 17:37:24 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2013:0771 https://rhn.redhat.com/errata/RHSA-2013-0771.html
Comment 19 Fedora Update System 2013-05-01 04:23:56 UTC 
curl-7.29.0-6.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 20 Fedora Update System 2013-05-06 03:49:02 UTC 
curl-7.27.0-9.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.