Bug 1178692 (CVE-2014-8150) - CVE-2014-8150 curl: URL request injection vulnerability in parseurlandfillconn()
Summary: CVE-2014-8150 curl: URL request injection vulnerability in parseurlandfillconn()
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2014-8150
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1180062 1180063 1180064 1180118 1215062
Blocks: 1178694 1193283 1210268
TreeView+ depends on / blocked
 
Reported: 2015-01-05 10:30 UTC by Vasyl Kaigorodov
Modified: 2023-05-12 07:03 UTC (History)
26 users (show)

Fixed In Version: libcurl 7.40.0
Doc Type: Bug Fix
Doc Text:
It was discovered that the libcurl library failed to properly handle URLs with embedded end-of-line characters. An attacker able to make an application using libcurl access a specially crafted URL via an HTTP proxy could use this flaw to inject additional headers to the request or construct additional requests.
Clone Of:
Environment:
Last Closed: 2016-07-11 09:13:41 UTC
Embargoed:

Attachments (Terms of Use)
0001-url-parsing-reject-CRLFs-within-URLs.patch (1.10 KB, patch)
2015-01-05 10:45 UTC, Vasyl Kaigorodov 		no flags Details | Diff
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:1254 0 normal SHIPPED_LIVE Moderate: curl security, bug fix, and enhancement update 2015-07-20 17:50:03 UTC
Red Hat Product Errata RHSA-2015:2159 0 normal SHIPPED_LIVE Moderate: curl security, bug fix, and enhancement update 2015-11-19 08:26:18 UTC

Description Vasyl Kaigorodov 2015-01-05 10:30:10 UTC 
libcurl upstream reports:

"""

When libcurl sends a request to a server via a HTTP proxy, it copies the entire URL into the request and sends if off.

If the given URL contains line feeds and carriage returns those will be sent along to the proxy too, which allows the program to for example send a separate HTTP request injected embedded in the URL.

Many programs allow some kind of external sources to set the URL or provide partial pieces for the URL to request, and if the URL (as received from the user) is not stripped good enough - this flaw allows malicious users to do additional requests in a way that was not intended, or to insert request headers into the request that the program didn't intend.

We are not aware of any public exploits of this flaw.

"""

External References:

http://curl.haxx.se/docs/adv_20150108B.html

Acknowledgements:

Red Hat would like to thank the cURL project for reporting this issue. Upstream acknowledges Andrey Labunets of Facebook as the original reporter.
Comment 1 Vasyl Kaigorodov 2015-01-05 10:45:53 UTC 
Created attachment 976325 [details]
0001-url-parsing-reject-CRLFs-within-URLs.patch
Comment 2 Martin Prpič 2015-01-08 09:32:25 UTC 
Created curl tracking bugs for this issue:

Affects: fedora-all [bug 1180062]
Comment 3 Martin Prpič 2015-01-08 09:32:29 UTC 
Created mingw-curl tracking bugs for this issue:

Affects: fedora-all [bug 1180063]
Affects: epel-7 [bug 1180064]
Comment 4 Tomas Hoger 2015-01-08 09:59:51 UTC 
Fixed now in curl 7.40.0:

http://curl.haxx.se/mail/archive-2015-01/0019.html

Upstream commits (fix + test):

https://github.com/bagder/curl/commit/178bd7db34f77e020fb8562890c5625ccbd67093
https://github.com/bagder/curl/commit/3df8e78860d3a3d3cf95252bd2b4ad5fd53360cd
Comment 9 Fedora Update System 2015-01-10 11:56:33 UTC 
curl-7.32.0-18.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2015-01-11 10:56:38 UTC 
curl-7.37.0-12.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 Vincent Danen 2015-02-17 19:53:57 UTC 
Statement:

Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.
Comment 16 errata-xmlrpc 2015-07-22 05:44:28 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2015:1254 https://rhn.redhat.com/errata/RHSA-2015-1254.html
Comment 18 errata-xmlrpc 2015-11-19 07:07:54 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:2159 https://rhn.redhat.com/errata/RHSA-2015-2159.html
Note You need to log in before you can comment on or make changes to this bug.