Red Hat Bugzilla – Bug 642642
CVE-2010-3842 mingw32-curl: Did not strip directory parts separated by backslashes, when downloading files
Last modified: 2015-07-31 08:24:48 EDT
cURL did not properly cut off directory parts from user provided
file name to be downloaded on operating systems, where backslashes
are used to separate directories and file names. This could allow
remote servers to create or overwrite files via a Content-Disposition
header that suggests a crafted filename, and possibly execute arbitrary
code as a consequence of writing to a certain file in a user's home
directory. Different vulnerability than CVE-2010-2251, CVE-2010-2252
Note: As already mentioned in . This flaw only affected those
operating systems, where backslash is used to separate directories
and file names, thus Microsoft Windows, Novell Netware, MSDOS, OS/2
and Symbian to mention some of them.
Credit: Upstream acknowledges Dan Fandrich as the original reporter.
This issue affects the versions of the mingw32-curl package, as shipped
with Fedora release of 12 and 13.
Created mingw32-curl tracking bugs for this issue
Affects: fedora-all [bug 642649]
The mingw32-curl package in all branches is NOT affected by this security issue. As mentioned on :
This error is only present in the curl command line tool, it is NOT a
problem of the library libcurl.
The curl command line tool isn't bundled in the mingw32-curl package hence the package shouldn't be affected
Thanks for the clarification, Erik (searched only through the source code,
so didn't realize it is possible, the final tool is not bundled in the
Closing this bug.
The CVE identifier of CVE-2010-3842 has been assigned to the cURL issue,
on native systems, which use backslash as directory part / filename part