cURL did not properly cut off directory parts from user provided file name to be downloaded on operating systems, where backslashes are used to separate directories and file names. This could allow remote servers to create or overwrite files via a Content-Disposition header that suggests a crafted filename, and possibly execute arbitrary code as a consequence of writing to a certain file in a user's home directory. Different vulnerability than CVE-2010-2251, CVE-2010-2252 and CVE-2010-2253. Note: As already mentioned in [2]. This flaw only affected those operating systems, where backslash is used to separate directories and file names, thus Microsoft Windows, Novell Netware, MSDOS, OS/2 and Symbian to mention some of them. References: [1] http://curl.haxx.se/docs/security.html [2] http://curl.haxx.se/docs/adv_20101013.html Upstream patch: [3] http://curl.haxx.se/curl-content-disposition.patch Credit: Upstream acknowledges Dan Fandrich as the original reporter.
CVE Request: [4] http://www.openwall.com/lists/oss-security/2010/10/13/1
This issue affects the versions of the mingw32-curl package, as shipped with Fedora release of 12 and 13. Please fix.
Created mingw32-curl tracking bugs for this issue Affects: fedora-all [bug 642649]
The mingw32-curl package in all branches is NOT affected by this security issue. As mentioned on [2]: This error is only present in the curl command line tool, it is NOT a problem of the library libcurl. The curl command line tool isn't bundled in the mingw32-curl package hence the package shouldn't be affected
Thanks for the clarification, Erik (searched only through the source code, so didn't realize it is possible, the final tool is not bundled in the final binary). Closing this bug.
The CVE identifier of CVE-2010-3842 has been assigned to the cURL issue, on native systems, which use backslash as directory part / filename part delimiter.