1138846 – (CVE-2014-3620) CVE-2014-3620 curl: cookies accepted for TLDs

Bug 1138846 (CVE-2014-3620) - CVE-2014-3620 curl: cookies accepted for TLDs

Summary: CVE-2014-3620 curl: cookies accepted for TLDs

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2014-3620
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1140037 1140038 1140039
Blocks:	1136155
TreeView+	depends on / blocked

Reported:	2014-09-05 18:57 UTC by Vincent Danen
Modified:	2023-05-12 04:56 UTC (History)
CC List:	3 users (show)
Fixed In Version:	curl 7.38.0
Clone Of:
Environment:
Last Closed:	2014-09-15 12:04:48 UTC
Embargoed:

Attachments	(Terms of Use)

Description Vincent Danen 2014-09-05 18:57:53 UTC

Daniel Stenberg reported the following vulnerability in cURL that could cause libcurl-based HTTP clients to leak cookie information:

Cookies set for Top Level Domains (TLD)

   libcurl wrongly allows cookies to be set for TLDs, thus making them much
   broader then they are supposed to be allowed to. This can allow arbitrary
   sites to set cookies that then would get sent to a different and unrelated
   site or domain.

   INFO

   Cookie parsing and use is opt-in by applications and is not enabled by
   default.

   libcurl's cookie parser has no Public Suffix awareness, so apart from
   rejecting TLDs from being allowed it might still allow cookies for domains
   that are otherwise widely rejected by ordinary browsers. See
   https://publicsuffix.org/ for details.

Versions 7.31.0 and later are affected.  Earlier versions are not affected.

Information about how to enable cookies is available from http://curl.haxx.se/docs/http-cookies.html

Acknowledgements:

Red Hat would like to thank the cURL project for reporting these issues. Upstream acknowledges Tim Ruehsen as the original reporter.


Statement:

This issue did not affect the versions of curl as shipped with Red Hat Enterprise Linux 5, 6, or 7.

Comment 1 Tomas Hoger 2014-09-08 13:43:14 UTC

(In reply to Vincent Danen from comment #0)
> Versions 7.31.0 and later are affected.  Earlier versions are not affected.

To be more specific, upstream identified the following commit as the one that introduced this issue and caused curl to accept cookies for TLDs:

https://github.com/bagder/curl/commit/85b9dc8023

This fix was also backported to curl version 7.29.0 as used in Fedora 19.  Hence all current Fedora releases are affected by this problem.

Red Hat Enterprise Linux 5, 6 and 7 are not affected, as noted above.

Comment 4 Murray McAllister 2014-09-10 08:29:04 UTC

This issue is public now.

External References:

http://curl.haxx.se/docs/adv_20140910B.html

Comment 5 Murray McAllister 2014-09-10 08:35:42 UTC

Created curl tracking bugs for this issue:

Affects: fedora-all [bug 1140039]

Comment 6 Murray McAllister 2014-09-10 08:35:45 UTC

Created mingw-curl tracking bugs for this issue:

Affects: fedora-all [bug 1140037]
Affects: epel-7 [bug 1140038]

Comment 7 Fedora Update System 2014-09-14 03:27:25 UTC

curl-7.32.0-13.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 8 Fedora Update System 2014-09-23 04:26:08 UTC

curl-7.37.0-7.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 9 Fedora Update System 2014-10-08 19:03:39 UTC

curl-7.29.0-23.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.