DSA 919-1: New curl packages fix potential security problem
Posted on: 12/12/2005 02:22 PM

The Debian Security Team published a new security update for Debian GNU/Linux. Here the announcement:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 919-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
December 12th, 2005 http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package : curl
Vulnerability : buffer overflow
Problem type : local (remote)
Debian-specific: no
CVE ID : CVE-2005-4077 CVE-2005-3185
BugTraq ID : 15756 15102 15647
Debian Bug : 342339 342696

Several problems were discovered in libcurl, a multi-protocol file
transfer library. The Common Vulnerabilities and Exposures project
identifies the following problems:

CVE-2005-3185

A vulnerability has been discovered a buffer overflow in libcurl
that could allow the execution of arbitrary code.

CVE-2005-4077

Stefan Esser discovered several off-by-one errors that allows
local users to trigger a buffer overflow and cause a denial of
service or bypass PHP security restrictions via certain URLs.

For the old stable distribution (woody) these problems have been fixed in
version 7.9.5-1woody1.

For the stable distribution (sarge) these problems have been fixed in
version 7.13.2-2sarge4. This update also includes a bugfix against
data corruption.

For the unstable distribution (sid) these problems have been fixed in
version 7.15.1-1.

We recommend that you upgrade your libcurl packages.


Upgrade Instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.0 alias woody
- --------------------------------

Source archives:

http://security.debian.org/pool/updates/main/c/curl/curl_7.9.5-1woody1.dsc
Size/MD5 checksum: 603 c7980d3b9589f2ef20390a70e0b4de74
http://security.debian.org/pool/updates/main/c/curl/curl_7.9.5-1woody1.diff.gz
Size/MD5 checksum: 16631 e35ec4ff7161fa158c04c8cbf716d159
http://security.debian.org/pool/updates/main/c/curl/curl_7.9.5.orig.tar.gz
Size/MD5 checksum: 682397 a4df6bb5aa8962c204e73c8f98077928

Alpha architecture:

http://security.debian.org/pool/updates/main/c/curl/curl_7.9.5-1woody1_alpha.deb
Size/MD5 checksum: 118498 584184fdc57b0b302b1c16b293222492
http://security.debian.org/pool/updates/main/c/curl/libcurl-dev_7.9.5-1woody1_alpha.deb
Size/MD5 checksum: 195922 6a58bcdea99e866fdfbad573b3d6ef8d
http://security.debian.org/pool/updates/main/c/curl/libcurl2_7.9.5-1woody1_alpha.deb
Size/MD5 checksum: 116574 799b6ccd5c223cd8580c8e4fc610fef8

ARM architecture:

http://security.debian.org/pool/updates/main/c/curl/curl_7.9.5-1woody1_arm.deb
Size/MD5 checksum: 114452 028489639e478d66a6223c7a2175cac9
http://security.debian.org/pool/updates/main/c/curl/libcurl-dev_7.9.5-1woody1_arm.deb
Size/MD5 checksum: 172978 ad531498826aaa48ec0e2eb5c2df7207
http://security.debian.org/pool/updates/main/c/curl/libcurl2_7.9.5-1woody1_arm.deb
Size/MD5 checksum: 101852 c7df9a970ef2f5a1ac11f6aae2c539be

Intel IA-32 architecture:

http://security.debian.org/pool/updates/main/c/curl/curl_7.9.5-1woody1_i386.deb
Size/MD5 checksum: 112954 55c016b60375a465dd139b25a9860e3b
http://security.debian.org/pool/updates/main/c/curl/libcurl-dev_7.9.5-1woody1_i386.deb
Size/MD5 checksum: 163696 c88d95d412ef529c8eebc9d21a5d6006
http://security.debian.org/pool/updates/main/c/curl/libcurl2_7.9.5-1woody1_i386.deb
Size/MD5 checksum: 100482 ca2e1ea6b2508888814e75101a9936bf

Intel IA-64 architecture:

http://security.debian.org/pool/updates/main/c/curl/curl_7.9.5-1woody1_ia64.deb
Size/MD5 checksum: 122062 7476d36d7530caab9aa08c8c24bc7b17
http://security.debian.org/pool/updates/main/c/curl/libcurl-dev_7.9.5-1woody1_ia64.deb
Size/MD5 checksum: 210310 5ef9167039cdf11ba26f5380265e9f0e
http://security.debian.org/pool/updates/main/c/curl/libcurl2_7.9.5-1woody1_ia64.deb
Size/MD5 checksum: 139432 6c924348404f96a9d534485d231da013

HP Precision architecture:

http://security.debian.org/pool/updates/main/c/curl/curl_7.9.5-1woody1_hppa.deb
Size/MD5 checksum: 116424 a94545e972184368284431251dc81bc0
http://security.debian.org/pool/updates/main/c/curl/libcurl-dev_7.9.5-1woody1_hppa.deb
Size/MD5 checksum: 186366 a9ef087b21652930a452f9aa61e17040
http://security.debian.org/pool/updates/main/c/curl/libcurl2_7.9.5-1woody1_hppa.deb
Size/MD5 checksum: 112976 9f67b8e55d8578f97913aef8135251cc

Motorola 680x0 architecture:

http://security.debian.org/pool/updates/main/c/curl/curl_7.9.5-1woody1_m68k.deb
Size/MD5 checksum: 112776 246260a28117b2c1fc01d9754e4dc4fe
http://security.debian.org/pool/updates/main/c/curl/libcurl-dev_7.9.5-1woody1_m68k.deb
Size/MD5 checksum: 159130 3e9ce9d21bbdce3688ddbaf4f260ac2f
http://security.debian.org/pool/updates/main/c/curl/libcurl2_7.9.5-1woody1_m68k.deb
Size/MD5 checksum: 97160 01ce2ddf9d7a91373bc02086a0718225

Big endian MIPS architecture:

http://security.debian.org/pool/updates/main/c/curl/curl_7.9.5-1woody1_mips.deb
Size/MD5 checksum: 115468 6e64a1534418bb425a1ad1dc2be0e1f9
http://security.debian.org/pool/updates/main/c/curl/libcurl-dev_7.9.5-1woody1_mips.deb
Size/MD5 checksum: 183938 5978db39fe8acd2a4042c6f184129211
http://security.debian.org/pool/updates/main/c/curl/libcurl2_7.9.5-1woody1_mips.deb
Size/MD5 checksum: 105234 2e48fba8ba1392918aa0c0ad95b0d237

Little endian MIPS architecture:

http://security.debian.org/pool/updates/main/c/curl/curl_7.9.5-1woody1_mipsel.deb
Size/MD5 checksum: 115494 0c3bdfc2517c81dda03e999505711af5
http://security.debian.org/pool/updates/main/c/curl/libcurl-dev_7.9.5-1woody1_mipsel.deb
Size/MD5 checksum: 183856 aef61efcb299d750e575eb1e8cc0a500
http://security.debian.org/pool/updates/main/c/curl/libcurl2_7.9.5-1woody1_mipsel.deb
Size/MD5 checksum: 105328 830278f24a115bf4dfa2a57517507faa

PowerPC architecture:

http://security.debian.org/pool/updates/main/c/curl/curl_7.9.5-1woody1_powerpc.deb
Size/MD5 checksum: 115064 36a580ccb525717018023223252a2dad
http://security.debian.org/pool/updates/main/c/curl/libcurl-dev_7.9.5-1woody1_powerpc.deb
Size/MD5 checksum: 181490 7af33b2711cea9edd18a1e0bf76b7908
http://security.debian.org/pool/updates/main/c/curl/libcurl2_7.9.5-1woody1_powerpc.deb
Size/MD5 checksum: 106400 362227268352e1b6345d665e46cad9f4

IBM S/390 architecture:

http://security.debian.org/pool/updates/main/c/curl/curl_7.9.5-1woody1_s390.deb
Size/MD5 checksum: 114380 e67536f6369452d7eb9c68a526b50acc
http://security.debian.org/pool/updates/main/c/curl/libcurl-dev_7.9.5-1woody1_s390.deb
Size/MD5 checksum: 167516 6a47b2681d358a72dd2da46cd282cde3
http://security.debian.org/pool/updates/main/c/curl/libcurl2_7.9.5-1woody1_s390.deb
Size/MD5 checksum: 104362 f48b9e5257fb2d933676f1bdedf65700

Sun Sparc architecture:

http://security.debian.org/pool/updates/main/c/curl/curl_7.9.5-1woody1_sparc.deb
Size/MD5 checksum: 114212 dcc862dfac0b145a85dd41ee26b8f68a
http://security.debian.org/pool/updates/main/c/curl/libcurl-dev_7.9.5-1woody1_sparc.deb
Size/MD5 checksum: 173280 9d4005552173802f517f84c7b7ff6e7c
http://security.debian.org/pool/updates/main/c/curl/libcurl2_7.9.5-1woody1_sparc.deb
Size/MD5 checksum: 107954 1bcfdf01ff3c281aca72220de9c36285


Debian GNU/Linux 3.1 alias sarge
- --------------------------------

Source archives:

http://security.debian.org/pool/updates/main/c/curl/curl_7.13.2-2sarge4.dsc
Size/MD5 checksum: 810 da7861471f869f9a9ec5134d5fd38d19
http://security.debian.org/pool/updates/main/c/curl/curl_7.13.2-2sarge4.diff.gz
Size/MD5 checksum: 171255 d385dd607b786b7f850a9f24babcc65a
http://security.debian.org/pool/updates/main/c/curl/curl_7.13.2.orig.tar.gz
Size/MD5 checksum: 2201086 b3bd4a303f35f9a2a3ed3671cedf8329

Alpha architecture:

http://security.debian.org/pool/updates/main/c/curl/curl_7.13.2-2sarge4_alpha.deb
Size/MD5 checksum: 150884 bd55a60b515ee8c2465fd17f7de29d50
http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.13.2-2sarge4_alpha.deb
Size/MD5 checksum: 251276 2f8cc5197eb54c78b18f25f63207d286
http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.13.2-2sarge4_alpha.deb
Size/MD5 checksum: 1010862 797c1b435ae57f09704840682615fed9
http://security.debian.org/pool/updates/main/c/curl/libcurl3-dev_7.13.2-2sarge4_alpha.deb
Size/MD5 checksum: 1279412 1d9b9bcaeb4f55b4e1029ab24b74cb7f
http://security.debian.org/pool/updates/main/c/curl/libcurl3-gssapi_7.13.2-2sarge4_alpha.deb
Size/MD5 checksum: 132164 b81c4278c3cbdf9c78266ca451110745

AMD64 architecture:

http://security.debian.org/pool/updates/main/c/curl/curl_7.13.2-2sarge4_amd64.deb
Size/MD5 checksum: 148002 b56233f49b100362e368b03e66218720
http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.13.2-2sarge4_amd64.deb
Size/MD5 checksum: 239260 d13d8eaecec3d63810e1ed73a6268ee2
http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.13.2-2sarge4_amd64.deb
Size/MD5 checksum: 1004100 712cffdd8bb0678bbd5372f8038bf743
http://security.debian.org/pool/updates/main/c/curl/libcurl3-dev_7.13.2-2sarge4_amd64.deb
Size/MD5 checksum: 1237918 5b7ab2089d6c421223ab1d5bca45ccc8
http://security.debian.org/pool/updates/main/c/curl/libcurl3-gssapi_7.13.2-2sarge4_amd64.deb
Size/MD5 checksum: 119332 a29338d6eebb002f76b64eb8db25669d

ARM architecture:

http://security.debian.org/pool/updates/main/c/curl/curl_7.13.2-2sarge4_arm.deb
Size/MD5 checksum: 147036 4d7dd6a1e18101e9f82ca47bd71adee6
http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.13.2-2sarge4_arm.deb
Size/MD5 checksum: 232254 7e7aa0f0d63d809380c5cf16a7bd9998
http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.13.2-2sarge4_arm.deb
Size/MD5 checksum: 1006512 1b6bba8334374b9a0973834db013deec
http://security.debian.org/pool/updates/main/c/curl/libcurl3-dev_7.13.2-2sarge4_arm.deb
Size/MD5 checksum: 1236324 d6e759826948dfc0b85100aa0721acbd
http://security.debian.org/pool/updates/main/c/curl/libcurl3-gssapi_7.13.2-2sarge4_arm.deb
Size/MD5 checksum: 112850 6a4bb805155911126e0da34c9a69caba

Intel IA-32 architecture:

http://security.debian.org/pool/updates/main/c/curl/curl_7.13.2-2sarge4_i386.deb
Size/MD5 checksum: 146622 b5c28b5df70be2f14ccc38ba76445184
http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.13.2-2sarge4_i386.deb
Size/MD5 checksum: 237394 deeefb82e0e50917d334cd58e941c703
http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.13.2-2sarge4_i386.deb
Size/MD5 checksum: 1003560 5a072f044f577601edf276a80eee1a16
http://security.debian.org/pool/updates/main/c/curl/libcurl3-dev_7.13.2-2sarge4_i386.deb
Size/MD5 checksum: 1223642 101c390bd001489d4338f18b64c7564f
http://security.debian.org/pool/updates/main/c/curl/libcurl3-gssapi_7.13.2-2sarge4_i386.deb
Size/MD5 checksum: 118476 0b34194348da0cf2e73833791321f8be

Intel IA-64 architecture:

http://security.debian.org/pool/updates/main/c/curl/curl_7.13.2-2sarge4_ia64.deb
Size/MD5 checksum: 156700 c40c8b873384b31606d0f86f62f87d62
http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.13.2-2sarge4_ia64.deb
Size/MD5 checksum: 279198 15bb908f6a841d8ffab2051484691d6d
http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.13.2-2sarge4_ia64.deb
Size/MD5 checksum: 1014686 c515f26ae840693a7af303b939e533de
http://security.debian.org/pool/updates/main/c/curl/libcurl3-dev_7.13.2-2sarge4_ia64.deb
Size/MD5 checksum: 1293752 a96384202ca09ebb218eb7ab0872da4d
http://security.debian.org/pool/updates/main/c/curl/libcurl3-gssapi_7.13.2-2sarge4_ia64.deb
Size/MD5 checksum: 160754 e197fcb10908f1201b12105d6a4fe988

HP Precision architecture:

http://security.debian.org/pool/updates/main/c/curl/curl_7.13.2-2sarge4_hppa.deb
Size/MD5 checksum: 150516 e80d05b29994e4a4aa921a060f1aaa4a
http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.13.2-2sarge4_hppa.deb
Size/MD5 checksum: 251178 95c1f4a011dd7509e631326175c6f4ac
http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.13.2-2sarge4_hppa.deb
Size/MD5 checksum: 1002034 069328e53c666557d876adc4c7df762a
http://security.debian.org/pool/updates/main/c/curl/libcurl3-dev_7.13.2-2sarge4_hppa.deb
Size/MD5 checksum: 1253588 66b90d2a50a329df1a6d2deb5db11caf
http://security.debian.org/pool/updates/main/c/curl/libcurl3-gssapi_7.13.2-2sarge4_hppa.deb
Size/MD5 checksum: 132258 345e3389c3d58356d4324b6cb09b4ce1

Motorola 680x0 architecture:

http://security.debian.org/pool/updates/main/c/curl/curl_7.13.2-2sarge4_m68k.deb
Size/MD5 checksum: 144622 dcd9d447dc466637937f1390df4efe8c
http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.13.2-2sarge4_m68k.deb
Size/MD5 checksum: 227834 d354dcd599d04d9c592b8fdbbe833775
http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.13.2-2sarge4_m68k.deb
Size/MD5 checksum: 998522 83c7e2d7474f2bc623d3fa19db556c94
http://security.debian.org/pool/updates/main/c/curl/libcurl3-dev_7.13.2-2sarge4_m68k.deb
Size/MD5 checksum: 1211958 a3e925c82c058b01971a781462d56fe9
http://security.debian.org/pool/updates/main/c/curl/libcurl3-gssapi_7.13.2-2sarge4_m68k.deb
Size/MD5 checksum: 108658 c59d11114a8209e7fec2b5fd608e3864

Big endian MIPS architecture:

http://security.debian.org/pool/updates/main/c/curl/curl_7.13.2-2sarge4_mips.deb
Size/MD5 checksum: 149912 722a66107541a6d2ae823f46b1459743
http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.13.2-2sarge4_mips.deb
Size/MD5 checksum: 237422 08c3c48899e33babbc9bc8f3d8b8d97d
http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.13.2-2sarge4_mips.deb
Size/MD5 checksum: 1007542 26b4bee9ab3ece84e1a2ef5bc0cfa815
http://security.debian.org/pool/updates/main/c/curl/libcurl3-dev_7.13.2-2sarge4_mips.deb
Size/MD5 checksum: 1246952 ab4a46b14f124baad25a1c15e5f84f5d
http://security.debian.org/pool/updates/main/c/curl/libcurl3-gssapi_7.13.2-2sarge4_mips.deb
Size/MD5 checksum: 118446 76a1ed48d045c6eec4ac3a9246adf369

Little endian MIPS architecture:

http://security.debian.org/pool/updates/main/c/curl/curl_7.13.2-2sarge4_mipsel.deb
Size/MD5 checksum: 150000 68e58cb1e4a76411d44f0cc28bed3dac
http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.13.2-2sarge4_mipsel.deb
Size/MD5 checksum: 237988 53b75c49f88e29ea3b0615a33d1d179f
http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.13.2-2sarge4_mipsel.deb
Size/MD5 checksum: 1010926 a31f246e13a31e422d6abd4637e7d79f
http://security.debian.org/pool/updates/main/c/curl/libcurl3-dev_7.13.2-2sarge4_mipsel.deb
Size/MD5 checksum: 1247194 ae4a7ceb8e33c0f6d6e0ea017c1fd5a7
http://security.debian.org/pool/updates/main/c/curl/libcurl3-gssapi_7.13.2-2sarge4_mipsel.deb
Size/MD5 checksum: 118908 499638c1e407f837d438eb3ee25b71c5

PowerPC architecture:

http://security.debian.org/pool/updates/main/c/curl/curl_7.13.2-2sarge4_powerpc.deb
Size/MD5 checksum: 150630 9d498e220cf3f1ea0bed9eba37895994
http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.13.2-2sarge4_powerpc.deb
Size/MD5 checksum: 243434 e115acf14a63f9c2a19d42b1963ca7a0
http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.13.2-2sarge4_powerpc.deb
Size/MD5 checksum: 1640952 fa15696dc540f1615672417c997761b3
http://security.debian.org/pool/updates/main/c/curl/libcurl3-dev_7.13.2-2sarge4_powerpc.deb
Size/MD5 checksum: 1245276 db89abb638e975cdbcc0381b4123ea10
http://security.debian.org/pool/updates/main/c/curl/libcurl3-gssapi_7.13.2-2sarge4_powerpc.deb
Size/MD5 checksum: 124126 78380f53d3d3656f87ea7d407e0ecd37

IBM S/390 architecture:

http://security.debian.org/pool/updates/main/c/curl/curl_7.13.2-2sarge4_s390.deb
Size/MD5 checksum: 148600 4660101e4a8bd44eb68ef9ea80d95502
http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.13.2-2sarge4_s390.deb
Size/MD5 checksum: 246602 de14f2625c352dc0f96981759b7ae94d
http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.13.2-2sarge4_s390.deb
Size/MD5 checksum: 1025394 ea2821337cbbefffa7833cc8f2f73aae
http://security.debian.org/pool/updates/main/c/curl/libcurl3-dev_7.13.2-2sarge4_s390.deb
Size/MD5 checksum: 1240726 1942bd69e7d06c8fa4f0aefda94a2b54
http://security.debian.org/pool/updates/main/c/curl/libcurl3-gssapi_7.13.2-2sarge4_s390.deb
Size/MD5 checksum: 127424 a7412a250bd42c0cfe74d054a76e4352

Sun Sparc architecture:

http://security.debian.org/pool/updates/main/c/curl/curl_7.13.2-2sarge4_sparc.deb
Size/MD5 checksum: 147624 92c2113d31613a17dad62bf4585bb96d
http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.13.2-2sarge4_sparc.deb
Size/MD5 checksum: 236962 defcd15ad18e2110105685aa592c36cb
http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.13.2-2sarge4_sparc.deb
Size/MD5 checksum: 996594 515599851d6c7bc75edd4bd2a85e1b22
http://security.debian.org/pool/updates/main/c/curl/libcurl3-dev_7.13.2-2sarge4_sparc.deb
Size/MD5 checksum: 1232322 4680ad497ca64e90d3a8cfc10f134ca7
http://security.debian.org/pool/updates/main/c/curl/libcurl3-gssapi_7.13.2-2sarge4_sparc.deb
Size/MD5 checksum: 117968 8b50fcf2af77f3f5b075797c3f5db265


These files will probably be moved into the stable distribution on
its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show lt;pkggt;' and http://packages.debian.org/lt;pkggt;

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD4DBQFDnXUzW5ql+IAeqTIRAmxbAJji1JPfzDpUQi+smmNU5/TsirpDAJ40kBPm
yi4IyEbiGOj4PQSTFUBrog==
=w5uH
-----END PGP SIGNATURE-----



Printed from Linux Compatible (http://www.linuxcompatible.org/news/story/dsa_919_1_new_curl_packages_fix_potential_security_problem.html)