Bug 642642 (CVE-2010-3842) - CVE-2010-3842 mingw32-curl: Did not strip directory parts separated by backslashes, when downloading files
Summary: CVE-2010-3842 mingw32-curl: Did not strip directory parts separated by backsl...
Alias: CVE-2010-3842
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 642649
TreeView+ depends on / blocked
Reported: 2010-10-13 13:40 UTC by Jan Lieskovsky
Modified: 2019-09-29 12:40 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2010-10-13 18:16:49 UTC

Attachments (Terms of Use)

Description Jan Lieskovsky 2010-10-13 13:40:51 UTC
cURL did not properly cut off directory parts from user provided
file name to be downloaded on operating systems, where backslashes
are used to separate directories and file names. This could allow
remote servers to create or overwrite files via a Content-Disposition
header that suggests a crafted filename, and possibly execute arbitrary
code as a consequence of writing to a certain file in a user's home
directory. Different vulnerability than CVE-2010-2251, CVE-2010-2252
and CVE-2010-2253.

Note: As already mentioned in [2]. This flaw only affected those
      operating systems, where backslash is used to separate directories
      and file names, thus Microsoft Windows, Novell Netware, MSDOS, OS/2
      and Symbian to mention some of them.

[1] http://curl.haxx.se/docs/security.html
[2] http://curl.haxx.se/docs/adv_20101013.html

Upstream patch:
[3] http://curl.haxx.se/curl-content-disposition.patch

Credit: Upstream acknowledges Dan Fandrich as the original reporter.

Comment 1 Jan Lieskovsky 2010-10-13 13:48:08 UTC
CVE Request:
[4] http://www.openwall.com/lists/oss-security/2010/10/13/1

Comment 2 Jan Lieskovsky 2010-10-13 13:49:09 UTC
This issue affects the versions of the mingw32-curl package, as shipped
with Fedora release of 12 and 13.

Please fix.

Comment 3 Jan Lieskovsky 2010-10-13 13:51:37 UTC
Created mingw32-curl tracking bugs for this issue

Affects: fedora-all [bug 642649]

Comment 4 Erik van Pienbroek 2010-10-13 13:53:28 UTC
The mingw32-curl package in all branches is NOT affected by this security issue. As mentioned on [2]:

  This error is only present in the curl command line tool, it is NOT a
  problem of the library libcurl.

The curl command line tool isn't bundled in the mingw32-curl package hence the package shouldn't be affected

Comment 5 Jan Lieskovsky 2010-10-13 18:16:49 UTC
Thanks for the clarification, Erik (searched only through the source code,
so didn't realize it is possible, the final tool is not bundled in the
final binary).

Closing this bug.

Comment 6 Jan Lieskovsky 2010-10-16 10:50:27 UTC
The CVE identifier of CVE-2010-3842 has been assigned to the cURL issue,
on native systems, which use backslash as directory part / filename part

Note You need to log in before you can comment on or make changes to this bug.