<<< Date Index >>>     <<< Thread Index >>>

[USN-228-1] curl library vulnerability



===========================================================
Ubuntu Security Notice USN-228-1          December 12, 2005
curl vulnerability
CVE-2005-4077
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)
Ubuntu 5.04 (Hoary Hedgehog)
Ubuntu 5.10 (Breezy Badger)

The following packages are affected:

libcurl2
libcurl3

The problem can be corrected by upgrading the affected package to
version 7.12.0.is.7.11.2-1ubuntu0.3 (for Ubuntu 4.10),
7.12.3-2ubuntu3.5 (libcurl3 for Ubuntu 5.04), 1:7.11.2-12ubuntu3.3
(libcurl2 for Ubuntu 5.04), or 7.14.0-2ubuntu1.2 (for Ubuntu 5.10).
In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

Stefan Esser discovered several buffer overflows in the handling of
URLs. By attempting to load an URL with a specially crafted invalid
hostname, a local attacker could exploit this to execute arbitrary
code with the privileges of the application that uses the cURL
library.

It is not possible to trick cURL into loading a malicious URL with an
HTTP redirect, so this vulnerability was usually not exploitable
remotely. However, it could be exploited locally to e. g. circumvent
PHP security restrictions.


Updated packages for Ubuntu 4.10:

  Source archives:

    
http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.12.0.is.7.11.2-1ubuntu0.3.diff.gz
      Size/MD5:   160919 5cf0f9c8ba68210e8e4c2758e60b2580
    
http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.12.0.is.7.11.2-1ubuntu0.3.dsc
      Size/MD5:      707 ba339f748a4aa0df95fad727d17351a6
    
http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.12.0.is.7.11.2.orig.tar.gz
      Size/MD5:  1435629 25e6617ea7dec34d072426942b77801f

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    
http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.12.0.is.7.11.2-1ubuntu0.3_amd64.deb
      Size/MD5:   108786 b2c4b1a909e7df51f1b473bad16eb5da
    
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl2-dbg_7.12.0.is.7.11.2-1ubuntu0.3_amd64.deb
      Size/MD5:  1043928 85dd2975faa3caf60fe4af59227e73ea
    
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl2-dev_7.12.0.is.7.11.2-1ubuntu0.3_amd64.deb
      Size/MD5:   568360 7da61685491a4bf50cb4b93a2ec908c7
    
http://security.ubuntu.com/ubuntu/pool/universe/c/curl/libcurl2-gssapi_7.12.0.is.7.11.2-1ubuntu0.3_amd64.deb
      Size/MD5:   112112 c643fd29e22a8b36bab08dcb26ff419c
    
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl2_7.12.0.is.7.11.2-1ubuntu0.3_amd64.deb
      Size/MD5:   224822 5e3afe9b190593442354151c4175ac07

  i386 architecture (x86 compatible Intel/AMD)

    
http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.12.0.is.7.11.2-1ubuntu0.3_i386.deb
      Size/MD5:   107950 6bdaa7ac9bc28865bf2f8ea98c033638
    
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl2-dbg_7.12.0.is.7.11.2-1ubuntu0.3_i386.deb
      Size/MD5:  1029246 5bf95fcb5356c46a48647e90c106893a
    
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl2-dev_7.12.0.is.7.11.2-1ubuntu0.3_i386.deb
      Size/MD5:   556842 9a83e697723e0498b189b661856a5f44
    
http://security.ubuntu.com/ubuntu/pool/universe/c/curl/libcurl2-gssapi_7.12.0.is.7.11.2-1ubuntu0.3_i386.deb
      Size/MD5:   110126 ffd39f845dcd54c1725dd5b530f69880
    
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl2_7.12.0.is.7.11.2-1ubuntu0.3_i386.deb
      Size/MD5:   223078 641bab72067de0f032fefcfe374a21b9

  powerpc architecture (Apple Macintosh G3/G4/G5)

    
http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.12.0.is.7.11.2-1ubuntu0.3_powerpc.deb
      Size/MD5:   110280 f01bb0abf8a7ee14df4f5ce45c7edcb3
    
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl2-dbg_7.12.0.is.7.11.2-1ubuntu0.3_powerpc.deb
      Size/MD5:  1053056 d14dafe8fa84b5c189a1b9434fab4166
    
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl2-dev_7.12.0.is.7.11.2-1ubuntu0.3_powerpc.deb
      Size/MD5:   573702 d4e343709827dc77b6e3caf8c3383145
    
http://security.ubuntu.com/ubuntu/pool/universe/c/curl/libcurl2-gssapi_7.12.0.is.7.11.2-1ubuntu0.3_powerpc.deb
      Size/MD5:   116522 add20579ac6b24154674095b8e8152ff
    
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl2_7.12.0.is.7.11.2-1ubuntu0.3_powerpc.deb
      Size/MD5:   229658 ca56d9ba1a7445ac4638a79efe985cd6

Updated packages for Ubuntu 5.04:

  Source archives:

    
http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.12.3-2ubuntu3.5.diff.gz
      Size/MD5:  1262740 00b378df6454659925ffb8317de89a33
    
http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.12.3-2ubuntu3.5.dsc
      Size/MD5:      832 19e220d065283b4c118a9a7576dcab13
    http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.12.3.orig.tar.gz
      Size/MD5:  2135477 653d1227c58ca870f95c488db62033f8

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    
http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.12.3-2ubuntu3.5_amd64.deb
      Size/MD5:   166430 56b527b3f654c498476606c8b2e5218f
    
http://security.ubuntu.com/ubuntu/pool/universe/c/curl/libcurl2-dev_7.11.2-12ubuntu3.3_amd64.deb
      Size/MD5:   341484 c64f9a35c94872b033ce89d8ae0bf193
    
http://security.ubuntu.com/ubuntu/pool/universe/c/curl/libcurl2_7.11.2-12ubuntu3.3_amd64.deb
      Size/MD5:   225790 c6db9fc785c37e8fc27620b9841ae53f
    
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-dbg_7.12.3-2ubuntu3.5_amd64.deb
      Size/MD5:   991810 d051acceddd6f2d4c1356bec0dcfbe9f
    
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-dev_7.12.3-2ubuntu3.5_amd64.deb
      Size/MD5:  1217552 ed1cbb38b5dbe4f776b4277f0de74429
    
http://security.ubuntu.com/ubuntu/pool/universe/c/curl/libcurl3-gssapi_7.12.3-2ubuntu3.5_amd64.deb
      Size/MD5:   138014 aa54bc9fd89a1068f75ac1a354796987
    
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3_7.12.3-2ubuntu3.5_amd64.deb
      Size/MD5:   254376 fe569e17b09c23bda1156ae49a219df6

  i386 architecture (x86 compatible Intel/AMD)

    
http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.12.3-2ubuntu3.5_i386.deb
      Size/MD5:   165564 b8cd25dfae1816207eddd1f9c9f6576a
    
http://security.ubuntu.com/ubuntu/pool/universe/c/curl/libcurl2-dev_7.11.2-12ubuntu3.3_i386.deb
      Size/MD5:   328156 5ad8dbebd4b74ca2eb807290625fe3c2
    
http://security.ubuntu.com/ubuntu/pool/universe/c/curl/libcurl2_7.11.2-12ubuntu3.3_i386.deb
      Size/MD5:   223992 2989c4c6292069c59d9654f2b99a77d9
    
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-dbg_7.12.3-2ubuntu3.5_i386.deb
      Size/MD5:   989726 5406a590e0998ec705cbeba27f0c292d
    
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-dev_7.12.3-2ubuntu3.5_i386.deb
      Size/MD5:  1202882 50757b0afdbefb3b8e956060dece4c75
    
http://security.ubuntu.com/ubuntu/pool/universe/c/curl/libcurl3-gssapi_7.12.3-2ubuntu3.5_i386.deb
      Size/MD5:   135074 d7b7e473412ba0779f68d2265ab9dabf
    
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3_7.12.3-2ubuntu3.5_i386.deb
      Size/MD5:   251820 0fde60ae464fe109113aa445fd5ac908

  powerpc architecture (Apple Macintosh G3/G4/G5)

    
http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.12.3-2ubuntu3.5_powerpc.deb
      Size/MD5:   168958 0e2221d5202c09bb62c2ed02b3dbbc28
    
http://security.ubuntu.com/ubuntu/pool/universe/c/curl/libcurl2-dev_7.11.2-12ubuntu3.3_powerpc.deb
      Size/MD5:   346148 fc1431630ee831312c32f8e16368910c
    
http://security.ubuntu.com/ubuntu/pool/universe/c/curl/libcurl2_7.11.2-12ubuntu3.3_powerpc.deb
      Size/MD5:   230648 dd2a75c994541467517a60e1a336b77a
    
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-dbg_7.12.3-2ubuntu3.5_powerpc.deb
      Size/MD5:  1601402 26d6817b37c7374e05751aff7bdd998b
    
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-dev_7.12.3-2ubuntu3.5_powerpc.deb
      Size/MD5:  1223556 e84e5fc07f89ac709e8878dc8077025d
    
http://security.ubuntu.com/ubuntu/pool/universe/c/curl/libcurl3-gssapi_7.12.3-2ubuntu3.5_powerpc.deb
      Size/MD5:   142846 86dc96c63047dcd4da246dbb6b50e1bb
    
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3_7.12.3-2ubuntu3.5_powerpc.deb
      Size/MD5:   259030 f1c8afbe12f1f153ac89416c3de77d05

Updated packages for Ubuntu 5.10:

  Source archives:

    
http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.14.0-2ubuntu1.2.diff.gz
      Size/MD5:   172472 01d9e73d5c3c1ed6c9bc7d35d0cfc53b
    
http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.14.0-2ubuntu1.2.dsc
      Size/MD5:      807 2455b42b81a0ba3718cf7d7d30016e67
    http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.14.0.orig.tar.gz
      Size/MD5:  2236640 3466045eab2170a393807a9eace17c55

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    
http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.14.0-2ubuntu1.2_amd64.deb
      Size/MD5:   153942 14b8333284c546d61d16e4b426d8727f
    
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-dbg_7.14.0-2ubuntu1.2_amd64.deb
      Size/MD5:   454934 68254a5a28844c861c0e696298321dec
    
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-dev_7.14.0-2ubuntu1.2_amd64.deb
      Size/MD5:  1253760 e448cdada96847f18336eb86021ff3be
    
http://security.ubuntu.com/ubuntu/pool/universe/c/curl/libcurl3-gssapi_7.14.0-2ubuntu1.2_amd64.deb
      Size/MD5:   126014 a85895b81a98a287d5a53302c1427186
    
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3_7.14.0-2ubuntu1.2_amd64.deb
      Size/MD5:   247620 6e2fc2f2fd8178e7ba89c72b5266ab79

  i386 architecture (x86 compatible Intel/AMD)

    
http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.14.0-2ubuntu1.2_i386.deb
      Size/MD5:   152870 98413ae7977e6055c872aabe39e79394
    
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-dbg_7.14.0-2ubuntu1.2_i386.deb
      Size/MD5:   427436 c6dc2f4eac30256103ee59f24be7e737
    
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-dev_7.14.0-2ubuntu1.2_i386.deb
      Size/MD5:  1236180 a47e57854f1a6e06bfd5b387ce075699
    
http://security.ubuntu.com/ubuntu/pool/universe/c/curl/libcurl3-gssapi_7.14.0-2ubuntu1.2_i386.deb
      Size/MD5:   119466 84d6b29e40235dd9c668f7b0febec53b
    
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3_7.14.0-2ubuntu1.2_i386.deb
      Size/MD5:   241034 ace721841e231ce9422b7fd347b14959

  powerpc architecture (Apple Macintosh G3/G4/G5)

    
http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.14.0-2ubuntu1.2_powerpc.deb
      Size/MD5:   156704 46572eb7c8e2763937ccee3aa1446066
    
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-dbg_7.14.0-2ubuntu1.2_powerpc.deb
      Size/MD5:   461144 ca4fff8c045e84eeead4ac9abb80ced1
    
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-dev_7.14.0-2ubuntu1.2_powerpc.deb
      Size/MD5:  1258704 c64b3487fa92752cca2170f7a6d6419b
    
http://security.ubuntu.com/ubuntu/pool/universe/c/curl/libcurl3-gssapi_7.14.0-2ubuntu1.2_powerpc.deb
      Size/MD5:   128190 48f15a5fedafd59f48bf499c26704022
    
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3_7.14.0-2ubuntu1.2_powerpc.deb
      Size/MD5:   249180 409e0e0d305e26c7e17b9f490e3168a6

Attachment: signature.asc
Description: Digital signature