Red Hat Bugzilla – Bug 485271
CVE-2009-0037 curl: local file access via unsafe redirects
Last modified: 2010-02-03 07:54:53 EST
When handling automatic redirects, libcurl does not differentiate between different target URLS, and will follow to any new URL that it understands. This includes the "file://" URL type, so a remote server can force a local libcurl-using application to read a local file instead of the remote one. This can lead to these applications exposing local files they are not meant to expose.
This issue affects RHEL2.1, RHEL3, RHEL4, RHEL5, Fedora 9, and Fedora 10.
Affected versions: curl and libcurl 5.11(!) to and including 7.19.3
Not affected versions: curl and libcurl 5.10 and earlier, 7.19.4 and later
Patch backports for various curl versions:
CVS HEAD: http://curl.haxx.se/CVE-2009-0037/curl-CVSHEAD-CVE-2009-0037.patch
Public now via:
curl-7.19.4-1.fc10 has been submitted as an update for Fedora 10.
curl-7.19.4-1.fc9 has been submitted as an update for Fedora 9.
curl-7.19.4-1.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
curl-7.19.4-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in following products:
Red Hat Enterprise Linux 2.1
Red Hat Enterprise Linux 3
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Via RHSA-2009:0341 https://rhn.redhat.com/errata/RHSA-2009-0341.html
This issue was addressed in:
Red Hat Enterprise Linux: