When handling automatic redirects, libcurl does not differentiate between different target URLS, and will follow to any new URL that it understands. This includes the "file://" URL type, so a remote server can force a local libcurl-using application to read a local file instead of the remote one. This can lead to these applications exposing local files they are not meant to expose.
This issue affects RHEL2.1, RHEL3, RHEL4, RHEL5, Fedora 9, and Fedora 10. Affected versions: curl and libcurl 5.11(!) to and including 7.19.3 Not affected versions: curl and libcurl 5.10 and earlier, 7.19.4 and later
Patch backports for various curl versions: CVS HEAD: http://curl.haxx.se/CVE-2009-0037/curl-CVSHEAD-CVE-2009-0037.patch 7.19.0: http://curl.haxx.se/CVE-2009-0037/curl-7.19.0-CVE-2009-0037.patch 7.18.2: http://curl.haxx.se/CVE-2009-0037/curl-7.18.2-CVE-2009-0037.patch 7.18.1: http://curl.haxx.se/CVE-2009-0037/curl-7.18.1-CVE-2009-0037.patch 7.16.4: http://curl.haxx.se/CVE-2009-0037/curl-7.16.4-CVE-2009-0037.patch 7.15.1: http://curl.haxx.se/CVE-2009-0037/curl-7.15.1-CVE-2009-0037.patch 7.11.0: http://curl.haxx.se/CVE-2009-0037/curl-7.11.0-CVE-2009-0037.patch
Public now via: http://curl.haxx.se/mail/archive-2009-03/0010.html
curl-7.19.4-1.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/curl-7.19.4-1.fc10
curl-7.19.4-1.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/curl-7.19.4-1.fc9
curl-7.19.4-1.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
curl-7.19.4-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
Reporter's advisory: http://www.withdk.com/2009/03/03/curllibcurl-redirect-arbitrary-file-access/ http://www.withdk.com/archives/Libcurl_arbitrary_file_access.pdf
This issue has been addressed in following products: Red Hat Enterprise Linux 2.1 Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Via RHSA-2009:0341 https://rhn.redhat.com/errata/RHSA-2009-0341.html
This issue was addressed in: Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2009-0341.html Fedora: https://admin.fedoraproject.org/updates/F10/FEDORA-2009-2247 https://admin.fedoraproject.org/updates/F9/FEDORA-2009-2265