USN-228-1: curl library vulnerability
Posted on: 12/12/2005 08:52 PM

A new curl library vulnerability update is available for Ubuntu Linux. Here the announcement:

Ubuntu Security Notice USN-228-1 December 12, 2005
curl vulnerability
CVE-2005-4077
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)
Ubuntu 5.04 (Hoary Hedgehog)
Ubuntu 5.10 (Breezy Badger)

The following packages are affected:

libcurl2
libcurl3

The problem can be corrected by upgrading the affected package to
version 7.12.0.is.7.11.2-1ubuntu0.3 (for Ubuntu 4.10),
7.12.3-2ubuntu3.5 (libcurl3 for Ubuntu 5.04), 1:7.11.2-12ubuntu3.3
(libcurl2 for Ubuntu 5.04), or 7.14.0-2ubuntu1.2 (for Ubuntu 5.10).
In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

Stefan Esser discovered several buffer overflows in the handling of
URLs. By attempting to load an URL with a specially crafted invalid
hostname, a local attacker could exploit this to execute arbitrary
code with the privileges of the application that uses the cURL
library.

It is not possible to trick cURL into loading a malicious URL with an
HTTP redirect, so this vulnerability was usually not exploitable
remotely. However, it could be exploited locally to e. g. circumvent
PHP security restrictions.


Updated packages for Ubuntu 4.10:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.12.0.is.7.11.2-1ubuntu0.3.diff.gz
Size/MD5: 160919 5cf0f9c8ba68210e8e4c2758e60b2580
http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.12.0.is.7.11.2-1ubuntu0.3.dsc
Size/MD5: 707 ba339f748a4aa0df95fad727d17351a6
http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.12.0.is.7.11.2.orig.tar.gz
Size/MD5: 1435629 25e6617ea7dec34d072426942b77801f

amd64 architecture (Athlon64, Opteron, EM64T Xeon)

http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.12.0.is.7.11.2-1ubuntu0.3_amd64.deb
Size/MD5: 108786 b2c4b1a909e7df51f1b473bad16eb5da
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl2-dbg_7.12.0.is.7.11.2-1ubuntu0.3_amd64.deb
Size/MD5: 1043928 85dd2975faa3caf60fe4af59227e73ea
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl2-dev_7.12.0.is.7.11.2-1ubuntu0.3_amd64.deb
Size/MD5: 568360 7da61685491a4bf50cb4b93a2ec908c7
http://security.ubuntu.com/ubuntu/pool/universe/c/curl/libcurl2-gssapi_7.12.0.is.7.11.2-1ubuntu0.3_amd64.deb
Size/MD5: 112112 c643fd29e22a8b36bab08dcb26ff419c
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl2_7.12.0.is.7.11.2-1ubuntu0.3_amd64.deb
Size/MD5: 224822 5e3afe9b190593442354151c4175ac07

i386 architecture (x86 compatible Intel/AMD)

http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.12.0.is.7.11.2-1ubuntu0.3_i386.deb
Size/MD5: 107950 6bdaa7ac9bc28865bf2f8ea98c033638
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl2-dbg_7.12.0.is.7.11.2-1ubuntu0.3_i386.deb
Size/MD5: 1029246 5bf95fcb5356c46a48647e90c106893a
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl2-dev_7.12.0.is.7.11.2-1ubuntu0.3_i386.deb
Size/MD5: 556842 9a83e697723e0498b189b661856a5f44
http://security.ubuntu.com/ubuntu/pool/universe/c/curl/libcurl2-gssapi_7.12.0.is.7.11.2-1ubuntu0.3_i386.deb
Size/MD5: 110126 ffd39f845dcd54c1725dd5b530f69880
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl2_7.12.0.is.7.11.2-1ubuntu0.3_i386.deb
Size/MD5: 223078 641bab72067de0f032fefcfe374a21b9

powerpc architecture (Apple Macintosh G3/G4/G5)

http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.12.0.is.7.11.2-1ubuntu0.3_powerpc.deb
Size/MD5: 110280 f01bb0abf8a7ee14df4f5ce45c7edcb3
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl2-dbg_7.12.0.is.7.11.2-1ubuntu0.3_powerpc.deb
Size/MD5: 1053056 d14dafe8fa84b5c189a1b9434fab4166
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl2-dev_7.12.0.is.7.11.2-1ubuntu0.3_powerpc.deb
Size/MD5: 573702 d4e343709827dc77b6e3caf8c3383145
http://security.ubuntu.com/ubuntu/pool/universe/c/curl/libcurl2-gssapi_7.12.0.is.7.11.2-1ubuntu0.3_powerpc.deb
Size/MD5: 116522 add20579ac6b24154674095b8e8152ff
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl2_7.12.0.is.7.11.2-1ubuntu0.3_powerpc.deb
Size/MD5: 229658 ca56d9ba1a7445ac4638a79efe985cd6

Updated packages for Ubuntu 5.04:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.12.3-2ubuntu3.5.diff.gz
Size/MD5: 1262740 00b378df6454659925ffb8317de89a33
http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.12.3-2ubuntu3.5.dsc
Size/MD5: 832 19e220d065283b4c118a9a7576dcab13
http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.12.3.orig.tar.gz
Size/MD5: 2135477 653d1227c58ca870f95c488db62033f8

amd64 architecture (Athlon64, Opteron, EM64T Xeon)

http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.12.3-2ubuntu3.5_amd64.deb
Size/MD5: 166430 56b527b3f654c498476606c8b2e5218f
http://security.ubuntu.com/ubuntu/pool/universe/c/curl/libcurl2-dev_7.11.2-12ubuntu3.3_amd64.deb
Size/MD5: 341484 c64f9a35c94872b033ce89d8ae0bf193
http://security.ubuntu.com/ubuntu/pool/universe/c/curl/libcurl2_7.11.2-12ubuntu3.3_amd64.deb
Size/MD5: 225790 c6db9fc785c37e8fc27620b9841ae53f
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-dbg_7.12.3-2ubuntu3.5_amd64.deb
Size/MD5: 991810 d051acceddd6f2d4c1356bec0dcfbe9f
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-dev_7.12.3-2ubuntu3.5_amd64.deb
Size/MD5: 1217552 ed1cbb38b5dbe4f776b4277f0de74429
http://security.ubuntu.com/ubuntu/pool/universe/c/curl/libcurl3-gssapi_7.12.3-2ubuntu3.5_amd64.deb
Size/MD5: 138014 aa54bc9fd89a1068f75ac1a354796987
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3_7.12.3-2ubuntu3.5_amd64.deb
Size/MD5: 254376 fe569e17b09c23bda1156ae49a219df6

i386 architecture (x86 compatible Intel/AMD)

http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.12.3-2ubuntu3.5_i386.deb
Size/MD5: 165564 b8cd25dfae1816207eddd1f9c9f6576a
http://security.ubuntu.com/ubuntu/pool/universe/c/curl/libcurl2-dev_7.11.2-12ubuntu3.3_i386.deb
Size/MD5: 328156 5ad8dbebd4b74ca2eb807290625fe3c2
http://security.ubuntu.com/ubuntu/pool/universe/c/curl/libcurl2_7.11.2-12ubuntu3.3_i386.deb
Size/MD5: 223992 2989c4c6292069c59d9654f2b99a77d9
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-dbg_7.12.3-2ubuntu3.5_i386.deb
Size/MD5: 989726 5406a590e0998ec705cbeba27f0c292d
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-dev_7.12.3-2ubuntu3.5_i386.deb
Size/MD5: 1202882 50757b0afdbefb3b8e956060dece4c75
http://security.ubuntu.com/ubuntu/pool/universe/c/curl/libcurl3-gssapi_7.12.3-2ubuntu3.5_i386.deb
Size/MD5: 135074 d7b7e473412ba0779f68d2265ab9dabf
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3_7.12.3-2ubuntu3.5_i386.deb
Size/MD5: 251820 0fde60ae464fe109113aa445fd5ac908

powerpc architecture (Apple Macintosh G3/G4/G5)

http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.12.3-2ubuntu3.5_powerpc.deb
Size/MD5: 168958 0e2221d5202c09bb62c2ed02b3dbbc28
http://security.ubuntu.com/ubuntu/pool/universe/c/curl/libcurl2-dev_7.11.2-12ubuntu3.3_powerpc.deb
Size/MD5: 346148 fc1431630ee831312c32f8e16368910c
http://security.ubuntu.com/ubuntu/pool/universe/c/curl/libcurl2_7.11.2-12ubuntu3.3_powerpc.deb
Size/MD5: 230648 dd2a75c994541467517a60e1a336b77a
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-dbg_7.12.3-2ubuntu3.5_powerpc.deb
Size/MD5: 1601402 26d6817b37c7374e05751aff7bdd998b
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-dev_7.12.3-2ubuntu3.5_powerpc.deb
Size/MD5: 1223556 e84e5fc07f89ac709e8878dc8077025d
http://security.ubuntu.com/ubuntu/pool/universe/c/curl/libcurl3-gssapi_7.12.3-2ubuntu3.5_powerpc.deb
Size/MD5: 142846 86dc96c63047dcd4da246dbb6b50e1bb
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3_7.12.3-2ubuntu3.5_powerpc.deb
Size/MD5: 259030 f1c8afbe12f1f153ac89416c3de77d05

Updated packages for Ubuntu 5.10:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.14.0-2ubuntu1.2.diff.gz
Size/MD5: 172472 01d9e73d5c3c1ed6c9bc7d35d0cfc53b
http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.14.0-2ubuntu1.2.dsc
Size/MD5: 807 2455b42b81a0ba3718cf7d7d30016e67
http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.14.0.orig.tar.gz
Size/MD5: 2236640 3466045eab2170a393807a9eace17c55

amd64 architecture (Athlon64, Opteron, EM64T Xeon)

http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.14.0-2ubuntu1.2_amd64.deb
Size/MD5: 153942 14b8333284c546d61d16e4b426d8727f
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-dbg_7.14.0-2ubuntu1.2_amd64.deb
Size/MD5: 454934 68254a5a28844c861c0e696298321dec
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-dev_7.14.0-2ubuntu1.2_amd64.deb
Size/MD5: 1253760 e448cdada96847f18336eb86021ff3be
http://security.ubuntu.com/ubuntu/pool/universe/c/curl/libcurl3-gssapi_7.14.0-2ubuntu1.2_amd64.deb
Size/MD5: 126014 a85895b81a98a287d5a53302c1427186
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3_7.14.0-2ubuntu1.2_amd64.deb
Size/MD5: 247620 6e2fc2f2fd8178e7ba89c72b5266ab79

i386 architecture (x86 compatible Intel/AMD)

http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.14.0-2ubuntu1.2_i386.deb
Size/MD5: 152870 98413ae7977e6055c872aabe39e79394
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-dbg_7.14.0-2ubuntu1.2_i386.deb
Size/MD5: 427436 c6dc2f4eac30256103ee59f24be7e737
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-dev_7.14.0-2ubuntu1.2_i386.deb
Size/MD5: 1236180 a47e57854f1a6e06bfd5b387ce075699
http://security.ubuntu.com/ubuntu/pool/universe/c/curl/libcurl3-gssapi_7.14.0-2ubuntu1.2_i386.deb
Size/MD5: 119466 84d6b29e40235dd9c668f7b0febec53b
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3_7.14.0-2ubuntu1.2_i386.deb
Size/MD5: 241034 ace721841e231ce9422b7fd347b14959

powerpc architecture (Apple Macintosh G3/G4/G5)

http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.14.0-2ubuntu1.2_powerpc.deb
Size/MD5: 156704 46572eb7c8e2763937ccee3aa1446066
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-dbg_7.14.0-2ubuntu1.2_powerpc.deb
Size/MD5: 461144 ca4fff8c045e84eeead4ac9abb80ced1
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-dev_7.14.0-2ubuntu1.2_powerpc.deb
Size/MD5: 1258704 c64b3487fa92752cca2170f7a6d6419b
http://security.ubuntu.com/ubuntu/pool/universe/c/curl/libcurl3-gssapi_7.14.0-2ubuntu1.2_powerpc.deb
Size/MD5: 128190 48f15a5fedafd59f48bf499c26704022
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3_7.14.0-2ubuntu1.2_powerpc.deb
Size/MD5: 249180 409e0e0d305e26c7e17b9f490e3168a6

--MGu/vTNewDGZ7tmp
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDncOKDecnbV4Fd/IRAiH9AJ93bAn1yoqwtsQDXFww3oHSiFpsXgCfSK4+
C4754x7qUEXPVvrKx3NRgaI=
=lJ0H
-----END PGP SIGNATURE-----



Printed from Linux Compatible (http://www.linuxcompatible.org/news/story/usn_228_1_curl_library_vulnerability.html)