GLSA-201203-02

Executive Summary

Summary
Title	cURL: Multiple vulnerabilities

Informations
Name	GLSA-201203-02	First vendor Publication	2012-03-06
Vendor	Gentoo	Last vendor Modification	2012-03-06
Severity (Vendor)	Normal	Revision	N/A

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Cvss Base Score	7.5	Attack Range	Network
Cvss Impact Score	6.4	Attack Complexity	Low
Cvss Expoit Score	10	Authentification	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Synopsis

Multiple vulnerabilities have been found in cURL, the worst of which might allow remote execution of arbitrary code.

Background

cURL is a command line tool for transferring files with URL syntax, supporting numerous protocols.

Description

Multiple vulnerabilities have been found in cURL:

* When zlib is enabled, the amount of data sent to an application for automatic decompression is not restricted (CVE-2010-0734).
* When performing GSSAPI authentication, credential delegation is always used (CVE-2011-2192).
* When SSL is enabled, cURL improperly disables the OpenSSL workaround to mitigate an information disclosure vulnerability in the SSL and TLS protocols (CVE-2011-3389).
* libcurl does not properly verify file paths for escape control characters in IMAP, POP3 or SMTP URLs (CVE-2012-0036).

Impact

A remote attacker could entice a user or automated process to open a specially crafted file or URL using cURL, possibly resulting in the remote execution of arbitrary code, a Denial of Service condition, disclosure of sensitive information, or unwanted actions performed via the IMAP, POP3 or SMTP protocols. Furthermore, remote servers may be able to impersonate clients via GSSAPI requests.

Workaround

There is no known workaround at this time.

Resolution

All cURL users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/curl-7.24.0"

References

[ 1 ] CVE-2010-0734 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0734
[ 2 ] CVE-2011-2192 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2192
[ 3 ] CVE-2011-3389 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3389
[ 4 ] CVE-2012-0036 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0036

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-201203-02.xml

Original Source

Url : http://security.gentoo.org/glsa/glsa-201203-02.xml

CWE : Common Weakness Enumeration

id	Name
CWE-264	Permissions, Privileges, and Access Controls
CWE-255	Credentials Management
CWE-89	Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection')
CWE-20	Improper Input Validation

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:6756

Oval ID:	oval:org.mitre.oval:def:6756
Title:	VMware ESX, Service Console update for cURL.
Description:	content_encoding.c in libcurl 7.10.5 through 7.19.7, when zlib is enabled, does not properly restrict the amount of callback data sent to an application that requests automatic decompression, which might allow remote attackers to cause a denial of service (application crash) or have unspecified other impact by sending crafted compressed data to an application that relies on the intended data-length limit.
Family:	unix	Class:	vulnerability
Reference(s):	CVE-2010-0734	Version:	3
Platform(s):	VMWare ESX Server 4	Product(s):
Definition Synopsis:
VMware ESX Server 4.0 is installed AND Patch ESX400-201009409-SG is not installed.

Definition Id: oval:org.mitre.oval:def:10760

Oval ID:	oval:org.mitre.oval:def:10760
Title:	content_encoding.c in libcurl 7.10.5 through 7.19.7, when zlib is enabled, does not properly restrict the amount of callback data sent to an application that requests automatic decompression, which might allow remote attackers to cause a denial of service (application crash) or have unspecified other impact by sending crafted compressed data to an application that relies on the intended data-length limit.
Description:	content_encoding.c in libcurl 7.10.5 through 7.19.7, when zlib is enabled, does not properly restrict the amount of callback data sent to an application that requests automatic decompression, which might allow remote attackers to cause a denial of service (application crash) or have unspecified other impact by sending crafted compressed data to an application that relies on the intended data-length limit.
Family:	unix	Class:	vulnerability
Reference(s):	CVE-2010-0734	Version:	5
Platform(s):	Red Hat Enterprise Linux 3 CentOS Linux 3 Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 Red Hat Enterprise Linux 5 CentOS Linux 5 Oracle Linux 5	Product(s):
Definition Synopsis:
OS Section: RHEL3, CentOS3 RHEL3 or CentOS3 The operating system installed on the system is Red Hat Enterprise Linux 3 AND CentOS Linux 3.x AND Configuration section curl-devel is earlier than 0:7.10.6-11.rhel3 AND curl is earlier than 0:7.10.6-11.rhel3 OR OS Section: RHEL4, CentOS4, Oracle Linux 4 RHEL4, CentOS4 or Oracle Linux 4 The operating system installed on the system is Red Hat Enterprise Linux 4 AND CentOS Linux 4.x AND Oracle Linux 4.x AND Configuration section curl-devel is earlier than 0:7.12.1-11.1.el4_8.3 AND curl is earlier than 0:7.12.1-11.1.el4_8.3 OR OS Section: RHEL5, CentOS5, Oracle Linux 5 RHEL5, CentOS5 or Oracle Linux 5 The operating system installed on the system is Red Hat Enterprise Linux 5 AND CentOS Linux 5.x AND Oracle Linux 5.x AND Configuration section curl-devel is earlier than 0:7.15.5-9.el5 AND curl is earlier than 0:7.15.5-9.el5

Definition Id: oval:org.mitre.oval:def:14752

Oval ID:	oval:org.mitre.oval:def:14752
Title:	SSL and TLS Protocols Vulnerability
Description:	The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a "BEAST" attack.
Family:	windows	Class:	vulnerability
Reference(s):	CVE-2011-3389	Version:	7
Platform(s):	Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Windows Server 2008 Microsoft Windows Server 2008 R2 Microsoft Windows Vista Microsoft Windows 7	Product(s):
Definition Synopsis:
Vulnerable Microsoft Windows XP SP3 x86 Microsoft Windows XP (x86) SP3 is installed AND the version of schannel.dll is less than 5.1.2600.6175 OR Vulnerable Microsoft Windows XP SP2 x64, Windows Server 2003 x86/x64/ia64 SP2 Microsoft Windows XP SP2 x64, Windows Server 2003 x86/x64/ia64 SP2 Microsoft Windows XP x64 Edition SP2 is installed AND Microsoft Windows Server 2003 SP2 (x86) is installed AND Microsoft Windows Server 2003 SP2 (x64) is installed AND Microsoft Windows Server 2003 (ia64) SP2 is installed AND the version of schannel.dll is less than 5.2.3790.4935 OR Vulnerable Microsoft Windows Vista x86/x64 SP2, Server 2008 x86/x64/ia64 SP2 Microsoft Windows Vista x86/x64 SP2, Server 2008 x86/x64/ia64 SP2 Microsoft Windows Vista (32-bit) Service Pack 2 is installed AND Microsoft Windows Vista x64 Edition Service Pack 2 is installed AND Microsoft Windows Server 2008 (32-bit) Service Pack 2 is installed AND Microsoft Windows Server 2008 x64 Edition Service Pack 2 is installed AND Microsoft Windows Server 2008 Itanium-Based Edition Service Pack 2 is installed AND GDR or LDR Service branch the version of schannel.dll is less than 6.0.6002.18541 OR LDR the version of schannel.dll is greater than or equal to 6.0.6002.22000 AND the version of schannel.dll is less than 6.0.6002.22742 OR Vulnerable Microsoft Windows 7 x86/x64, Windows Server 2008 R2 x64/ia64 Microsoft Windows 7 x86/x64, Windows Server 2008 R2 x64/ia64 Microsoft Windows 7 (32-bit) is installed AND Microsoft Windows 7 x64 Edition is installed AND Microsoft Windows Server 2008 R2 x64 Edition is installed AND Microsoft Windows Server 2008 R2 Itanium-Based Edition is installed AND GDR or LDR Service branch the version of schannel.dll is less than 6.1.7600.16915 OR LDR the version of schannel.dll is greater than or equal to 6.1.7600.20000 AND the version of schannel.dll is less than 6.1.7600.21092 OR Vulnerable Microsoft Windows 7 x86/x64 SP1, Windows Server 2008 R2 x64/ia64 SP1 Microsoft Windows 7 x86/x64 SP1, Windows Server 2008 R2 x64/ia64 SP1 Microsoft Windows 7 (32-bit) Service Pack 1 is installed AND Microsoft Windows 7 x64 Service Pack 1 is installed AND Microsoft Windows Server 2008 R2 x64 Service Pack 1 is installed AND Microsoft Windows Server 2008 R2 Itanium-Based Edition Service Pack 1 is installed AND GDR or LDR Service branch the version of schannel.dll is less than 6.1.7601.17725 OR LDR the version of schannel.dll is greater than or equal to 6.1.7601.21000 AND the version of schannel.dll is less than 6.1.7601.21861

CPE : Common Platform Enumeration

Type	Description	Count
Application	Curl Curl cpe:/a:curl:curl:7.23.1 cpe:/a:curl:curl:7.23.0 cpe:/a:curl:curl:7.22.0 cpe:/a:curl:curl:7.21.7 cpe:/a:curl:curl:7.21.6 cpe:/a:curl:curl:7.21.5 cpe:/a:curl:curl:7.21.4 cpe:/a:curl:curl:7.21.3 cpe:/a:curl:curl:7.21.2 cpe:/a:curl:curl:7.21.1 cpe:/a:curl:curl:7.21.0 cpe:/a:curl:curl:7.20.1 cpe:/a:curl:curl:7.20.0 cpe:/a:curl:curl	14
Application	Curl Libcurl cpe:/a:curl:libcurl:7.23.1 cpe:/a:curl:libcurl:7.23.0 cpe:/a:curl:libcurl:7.22.0 cpe:/a:curl:libcurl:7.21.7 cpe:/a:curl:libcurl:7.21.6 cpe:/a:curl:libcurl:7.21.5 cpe:/a:curl:libcurl:7.21.4 cpe:/a:curl:libcurl:7.21.3 cpe:/a:curl:libcurl:7.21.2 cpe:/a:curl:libcurl:7.21.1 cpe:/a:curl:libcurl:7.21.0 cpe:/a:curl:libcurl:7.20.1 cpe:/a:curl:libcurl:7.20.0 cpe:/a:curl:libcurl:7.19.7 cpe:/a:curl:libcurl:7.19.6 cpe:/a:curl:libcurl:7.19.5 cpe:/a:curl:libcurl:7.19.4 cpe:/a:curl:libcurl:7.19.3 cpe:/a:curl:libcurl:7.19.2 cpe:/a:curl:libcurl:7.19.1 cpe:/a:curl:libcurl:7.19.0 cpe:/a:curl:libcurl:7.18.2 cpe:/a:curl:libcurl:7.18.1 cpe:/a:curl:libcurl:7.18.0 cpe:/a:curl:libcurl:7.17.1 cpe:/a:curl:libcurl:7.17.0 cpe:/a:curl:libcurl:7.16.3 cpe:/a:curl:libcurl:7.15.3 cpe:/a:curl:libcurl:7.15.2 cpe:/a:curl:libcurl:7.15.1 cpe:/a:curl:libcurl:7.15 cpe:/a:curl:libcurl:7.14.1 cpe:/a:curl:libcurl:7.14 cpe:/a:curl:libcurl:7.13.2 cpe:/a:curl:libcurl:7.13.1 cpe:/a:curl:libcurl:7.13 cpe:/a:curl:libcurl:7.12.3 cpe:/a:curl:libcurl:7.12.2 cpe:/a:curl:libcurl:7.12.1 cpe:/a:curl:libcurl:7.12.0 cpe:/a:curl:libcurl:7.12 cpe:/a:curl:libcurl:7.11.2 cpe:/a:curl:libcurl:7.11.1 cpe:/a:curl:libcurl:7.11.0 cpe:/a:curl:libcurl:7.10.8 cpe:/a:curl:libcurl:7.10.7 cpe:/a:curl:libcurl:7.10.6 cpe:/a:curl:libcurl:7.10.5	48
Application	Google Chrome cpe:/a:google:chrome	1
Application	Microsoft Ie cpe:/a:microsoft:ie	1
Application	Mozilla Firefox cpe:/a:mozilla:firefox	1
Application	Opera Opera Browser cpe:/a:opera:opera_browser	1
Os	Microsoft Windows cpe:/o:microsoft:windows	1

Open Source Vulnerability Database (OSVDB)

id	Description
78512	cURL Multiple Protocol File Path URL Parsing Control Character Injection
74829	SSL Chained Initialization Vector CBC Mode MiTM Weakness
73686	libcurl http_negotiate.c Curl_input_negotiate Function GSSAPI Credential Dele...
73328	cURL GSSAPI Client Credential Remote Disclosure
62217	cURL / libcURL Compressed HTTP Content Registered Callback Overflow