Bug 642642 - (CVE-2010-3842) CVE-2010-3842 mingw32-curl: Did not strip directory parts separated by backslashes, when downloading files
CVE-2010-3842 mingw32-curl: Did not strip directory parts separated by backsl...
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
public=20101013,reported=20101013,sou...
: Security
Depends On: 642649
Blocks:
  Show dependency treegraph
 
Reported: 2010-10-13 09:40 EDT by Jan Lieskovsky
Modified: 2015-07-31 08:24 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-10-13 14:16:49 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2010-10-13 09:40:51 EDT
cURL did not properly cut off directory parts from user provided
file name to be downloaded on operating systems, where backslashes
are used to separate directories and file names. This could allow
remote servers to create or overwrite files via a Content-Disposition
header that suggests a crafted filename, and possibly execute arbitrary
code as a consequence of writing to a certain file in a user's home
directory. Different vulnerability than CVE-2010-2251, CVE-2010-2252
and CVE-2010-2253.

Note: As already mentioned in [2]. This flaw only affected those
      operating systems, where backslash is used to separate directories
      and file names, thus Microsoft Windows, Novell Netware, MSDOS, OS/2
      and Symbian to mention some of them.

References:
[1] http://curl.haxx.se/docs/security.html
[2] http://curl.haxx.se/docs/adv_20101013.html

Upstream patch:
[3] http://curl.haxx.se/curl-content-disposition.patch

Credit: Upstream acknowledges Dan Fandrich as the original reporter.
Comment 1 Jan Lieskovsky 2010-10-13 09:48:08 EDT
CVE Request:
[4] http://www.openwall.com/lists/oss-security/2010/10/13/1
Comment 2 Jan Lieskovsky 2010-10-13 09:49:09 EDT
This issue affects the versions of the mingw32-curl package, as shipped
with Fedora release of 12 and 13.

Please fix.
Comment 3 Jan Lieskovsky 2010-10-13 09:51:37 EDT
Created mingw32-curl tracking bugs for this issue

Affects: fedora-all [bug 642649]
Comment 4 Erik van Pienbroek 2010-10-13 09:53:28 EDT
The mingw32-curl package in all branches is NOT affected by this security issue. As mentioned on [2]:

  This error is only present in the curl command line tool, it is NOT a
  problem of the library libcurl.

The curl command line tool isn't bundled in the mingw32-curl package hence the package shouldn't be affected
Comment 5 Jan Lieskovsky 2010-10-13 14:16:49 EDT
Thanks for the clarification, Erik (searched only through the source code,
so didn't realize it is possible, the final tool is not bundled in the
final binary).

Closing this bug.
Comment 6 Jan Lieskovsky 2010-10-16 06:50:27 EDT
The CVE identifier of CVE-2010-3842 has been assigned to the cURL issue,
on native systems, which use backslash as directory part / filename part
delimiter.

Note You need to log in before you can comment on or make changes to this bug.