Headline
Debian Security Advisory 5460-1
Debian Linux Security Advisory 5460-1 - It was discovered that Curl performed incorrect file path handling when saving cookies to files, which could lead to the creation or overwriting of files.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Debian Security Advisory DSA-5460-1 [email protected]
https://www.debian.org/security/ Moritz Muehlenhoff
July 26, 2023 https://www.debian.org/security/faq
Package : curl
CVE ID : CVE-2023-32001
It was discovered that Curl performed incorrect file path handling when
saving cookies to files, which could lead to the creation or overwriting
of files.
The oldstable distribution (bullseye) is not affected.
For the stable distribution (bookworm), this problem has been fixed in
version 7.88.1-10+deb12u1.
We recommend that you upgrade your curl packages.
For the detailed security status of curl please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/curl
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: [email protected]
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmTBdbYACgkQEMKTtsN8
TjbfTBAAmujUmVYytNJLsiCxp0HhaIEblUWK5kI5g0J2zNqIYvc3XZ92Zy64jiIn
3Iwm8qptjSY0JfhQK22X8gKOWtUfjmFiiPNZuvtIn09/9VXKq2c0U+h/uht2gTx4
VaEwFOux8nJHesXDZkWAbfuVlt8trSnfRisEJiaHOggjCz3MZZ/Zhc/FeSgR7cTx
+udiMlseaqcjtDG0P9S7PLvG8Jf4w/jtG1kFzRvzJbJYczAwQ67wAJi5lmsbdK00
txg6Eljmf7JkaYhi0z2pi8w7KbIRhygzkTa97rM0i4BupOO3IcLV0TiosMSRdcXr
Zij0ndo8WIiS5FtOR32bi5Du35uh0HufGtvaL97vyxglKv7IjbPVLRntLMNwTyrM
VXt4Hy/FHZPUkpNxqurfQwK+I++QUj0Sd3p5AJPD8/DHipP6ffMNPpb3oARBrsev
uuGmk3tKW3NcTaYQGPo76QhXAc2R/9szMjQYOj/0T07xElYYWU+BBh44W9rIuQZY
+dssf/X3GXzub9NPJSKrYZoCloT+U7JhqIi+D5GidXeZP2DXBdQMWrX2y6T1t0S0
pN7fjknB+jnbMRrjpqntzJ52x0lT3b8m7IjrG7yLA3moUPrDO7lzlneN1wptJ5sw
qFeAvOu3UehQy6HYEz44Xafk7sIl15LgNZRPZpJQK4u+1xtjI+E=JrDz
-----END PGP SIGNATURE-----
Related news
IBM QRadar WinCollect Agent 10.0 through 10.1.7 could allow a privileged user to obtain sensitive information due to missing best practices. IBM X-Force ID: 213551.
Gentoo Linux Security Advisory 202310-12 - Multiple vulnerabilities have been discovered in curl, the worst of which could result in arbitrary code execution. Versions greater than or equal to 8.3.0-r2 are affected.
Ubuntu Security Notice 6237-3 - USN-6237-1 fixed several vulnerabilities in curl. This update provides the corresponding updates for Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, and Ubuntu 18.04 LTS. Hiroki Kurosawa discovered that curl incorrectly handled validating certain certificate wildcards. A remote attacker could possibly use this issue to spoof certain website certificates using IDN hosts.
libcurl can be told to save cookie, HSTS and/or alt-svc data to files. When doing this, it called `stat()` followed by `fopen()` in a way that made it vulnerable to a TOCTOU race condition problem. By exploiting this flaw, an attacker could trick the victim to create or overwrite protected files holding this data in ways it was not intended to.
Ubuntu Security Notice 6237-2 - USN-6237-1 fixed vulnerabilities in curl. The update caused a certificate wildcard handling regression on Ubuntu 22.04 LTS. This update fixes the problem. Hiroki Kurosawa discovered that curl incorrectly handled validating certain certificate wildcards. A remote attacker could possibly use this issue to spoof certain website certificates using IDN hosts. Hiroki Kurosawa discovered that curl incorrectly handled callbacks when certain options are set by applications. This could cause applications using curl to misbehave, resulting in information disclosure, or a denial of service. It was discovered that curl incorrectly handled saving cookies to files. A local attacker could possibly use this issue to create or overwrite files. This issue only affected Ubuntu 22.10, and Ubuntu 23.04.
Ubuntu Security Notice 6237-1 - Hiroki Kurosawa discovered that curl incorrectly handled validating certain certificate wildcards. A remote attacker could possibly use this issue to spoof certain website certificates using IDN hosts. Hiroki Kurosawa discovered that curl incorrectly handled callbacks when certain options are set by applications. This could cause applications using curl to misbehave, resulting in information disclosure, or a denial of service.