Bug 911363 - (CVE-2014-8150) VUL-0: CVE-2014-8150: curl: URL request injection vulnerability
(CVE-2014-8150)
VUL-0: CVE-2014-8150: curl: URL request injection vulnerability
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
maint:released:sle10-sp3:60143 maint:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-12-30 08:18 UTC by Victor Pereira
Modified: 2017-06-16 12:06 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Victor Pereira 2014-12-30 08:18:54 UTC
URL request injection vulnerability
===================================

Project cURL Security Advisory, January 8th 2015 -
[Permalink](http://curl.haxx.se/docs/adv_20150108B.html)

VULNERABILITY
-------------

When libcurl sends a request to a server via a HTTP proxy, it copies the
entire URL into the request and sends if off.

If the given URL contains line feeds and carriage returns those will be sent
along to the proxy too, which allows the program to for example send a
separate HTTP request injected embedded in the URL.

Many programs allow some kind of external sources to set the URL or provide
partial pieces for the URL to ask for, and if the URL as received from the
user is not stripped good enough this flaw allows malicious users to do
additional requests in a way that was not intended, or just to insert request
headers into the request that the program didn't intend.

We are not aware of any exploit of this flaw.

INFO
----

This flaw can also affect the curl command line tool if a similar operation
series is made with that.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2015-XXXX to this issue.

AFFECTED VERSIONS
-----------------

- Affected versions: from libcurl 7.1 to and including 7.39.0
- Not affected versions: libcurl >= 7.40.0

libcurl is used by many applications, but not always advertised as such!

THE SOLUTION
------------

libcurl 7.40.0 makes sure that the URL passed to the proxy may never contain
neither carriage returns nor line feeds characters.

A patch for this problem is available (for now) at:

     http://curl.haxx.se/0001-url-parsing-reject-CRLFs-within-URLs.patch

RECOMMENDATIONS
---------------

We suggest you take one of the following actions immediately, in order of
preference:

A - Upgrade to curl and libcurl 7.40.0

B - Apply the patch and rebuild libcurl

C - Only use URLs that are carefully stripped from line feeds and carriage
     returns

TIME LINE
---------

It was first reported to the curl project on December 25 2014.

We contacted distros@openwall on December 28.

libcurl 7.40.0 was released on January 8th 2015, coordinated with the
publication of this advisory.

CREDITS
-------

Reported by Andrey Labunets (Facebook)

Thanks a lot!

-- 

  / daniel.haxx.se
Comment 2 Swamp Workflow Management 2014-12-30 23:00:14 UTC
bugbot adjusting priority
Comment 7 Swamp Workflow Management 2015-01-06 13:19:53 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2015-01-20.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/60141
Comment 10 Johannes Segitz 2015-01-08 10:12:22 UTC
public: http://curl.haxx.se/docs/adv_20150108B.html
Comment 13 Swamp Workflow Management 2015-01-19 16:05:59 UTC
SUSE-SU-2015:0083-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 901924,911363
CVE References: CVE-2014-3707,CVE-2014-8150
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    curl-7.37.0-5.1
SUSE Linux Enterprise Server 12 (src):    curl-7.37.0-5.1
SUSE Linux Enterprise Desktop 12 (src):    curl-7.37.0-5.1
Comment 14 Swamp Workflow Management 2015-01-31 00:09:17 UTC
SUSE-SU-2015:0179-1: An update that solves three vulnerabilities and has four fixes is now available.

Category: security (moderate)
Bug References: 870444,884698,885302,894575,897816,901924,911363
CVE References: CVE-2014-3613,CVE-2014-3707,CVE-2014-8150
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    curl-7.19.7-1.40.1
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    curl-7.19.7-1.40.1
SUSE Linux Enterprise Server 11 SP3 (src):    curl-7.19.7-1.40.1
SUSE Linux Enterprise Security Module 11 SP3 (src):    curl-openssl1-7.19.7-0.40.1
SUSE Linux Enterprise Desktop 11 SP3 (src):    curl-7.19.7-1.40.1
Comment 18 Bernhard Wiedemann 2015-02-03 10:00:12 UTC
This is an autogenerated message for OBS integration:
This bug (911363) was mentioned in
https://build.opensuse.org/request/show/283834 13.2+13.1 / curl
Comment 19 Swamp Workflow Management 2015-02-10 15:05:06 UTC
openSUSE-SU-2015:0248-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 901924,911363
CVE References: CVE-2014-3707,CVE-2014-8150
Sources used:
openSUSE 13.2 (src):    curl-7.40.0-4.1
openSUSE 13.1 (src):    curl-7.40.0-2.35.1
Comment 20 Marcus Meissner 2015-02-10 15:10:03 UTC
released