Bug#1098725: bookworm-pu: package curl/7.88.1-10+deb12u11

Dr. Tobias Quathamer Sun, 23 Feb 2025 04:21:32 -0800

Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: c...@packages.debian.org, to...@debian.org
Control: affects -1 + src:curl
User: release.debian....@packages.debian.org
Usertags: pu


[ Reason ]
This update fixes CVE-2025-0167.

[ Impact ]
When asked to use a .netrc file for credentials and to follow HTTP
redirects, curl could leak the password used for the first host to the

followed-to host under certain circumstances. This flaw only manifestsitself if the netrc file has a default entry that omits both login andpassword.

According to upstream, this is a rare circumstance.

[ Tests ]

Upstream has created a new test case which checks that the vulnerabilityhas been fixed by the change. That test case has been backported by meas well.


[ Risks ]

The risks should be minimal, because upstream has added tests tovalidate the patch.


[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]

Backported the upstream patch that fixes CVE-2025-0167. Added a testcase to check the change.


[ Other info ]

There is currently another curl update for bookworm pending, see Debianbug #1098397. I've therefore only created a debdiff fromcurl/7.88.1-10+deb12u10 to curl/7.88.1-10+deb12u11.


Regards,
Tobias

diff -Nru curl-7.88.1/debian/changelog curl-7.88.1/debian/changelog
--- curl-7.88.1/debian/changelog	2025-01-20 03:22:01.000000000 +0100
+++ curl-7.88.1/debian/changelog	2025-02-10 11:45:37.000000000 +0100
@@ -1,3 +1,14 @@
+curl (7.88.1-10+deb12u11) bookworm; urgency=medium
+
+ * Import patch for CVE-2025-0167.
+   - When asked to use a `.netrc` file for credentials **and** to follow HTTP
+     redirects, curl could leak the password used for the first host to the
+     followed-to host under certain circumstances. This flaw only manifests
+     itself if the netrc file has a `default` entry that omits both login
+     and password. A rare circumstance.
+
+ -- Dr. Tobias Quathamer <to...@debian.org>  Mon, 10 Feb 2025 11:45:37 +0100
+
 curl (7.88.1-10+deb12u10) bookworm; urgency=medium
 
   * Team upload.
diff -Nru curl-7.88.1/debian/patches/CVE-2025-0167.patch curl-7.88.1/debian/patches/CVE-2025-0167.patch
--- curl-7.88.1/debian/patches/CVE-2025-0167.patch	1970-01-01 01:00:00.000000000 +0100
+++ curl-7.88.1/debian/patches/CVE-2025-0167.patch	2025-02-10 11:45:37.000000000 +0100
@@ -0,0 +1,174 @@
+From: Daniel Stenberg <dan...@haxx.se>
+Date: Fri, 3 Jan 2025 16:22:27 +0100
+Subject: [PATCH] netrc: 'default' with no credentials is not a match
+
+Test 486 verifies.
+
+Reported-by: Yihang Zhou
+
+Closes #15908
+
+Backported by: Dr. Tobias Quathamer <to...@debian.org>
+
+Changes:
+* Refresh patch context for lib/netrc.c
+* Use tests/data/Makefile.inc to add new test instead of
+  tests/data/Makefile.am, because that has only been
+  introduced in later versions of curl.
+* Replace "%LOGDIR" with "log" due to its absence in bookworm.
+---
+ lib/netrc.c             |  15 ++++---
+ tests/data/Makefile.inc |   1 +
+ tests/data/test486      | 105 ++++++++++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 116 insertions(+), 5 deletions(-)
+ create mode 100644 tests/data/test486
+
+diff --git a/lib/netrc.c b/lib/netrc.c
+index fb1f495..2df76aa 100644
+--- a/lib/netrc.c
++++ b/lib/netrc.c
+@@ -260,11 +260,16 @@ static int parsenetrc(const char *host,
+     } /* while Curl_get_line() */
+ 
+     out:
+-    if(!retcode && !password && our_login) {
+-      /* success without a password, set a blank one */
+-      password = strdup("");
+-      if(!password)
+-        retcode = 1; /* out of memory */
++    if(!retcode) {
++      if(!password && our_login) {
++        /* success without a password, set a blank one */
++        password = strdup("");
++        if(!password)
++          retcode = 1; /* out of memory */
++      }
++      else if(!login && !password)
++        /* a default with no credentials */
++        retcode = NETRC_FILE_MISSING;
+     }
+     if(!retcode) {
+       /* success */
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index ceedd38..0f6dd22 100644
+--- a/tests/data/Makefile.inc
++++ b/tests/data/Makefile.inc
+@@ -75,6 +75,7 @@ test430 test431 test432 test433 test434 test435 test436 \
+ test440 test441 test442 test443 test444 test445 test446 \
+ \
+ test478 test479 test480 \
++test486 \
+ \
+ test490 test491 test492 test493 test494 test495 test496 \
+ \
+diff --git a/tests/data/test486 b/tests/data/test486
+new file mode 100644
+index 0000000..d0d6d67
+--- /dev/null
++++ b/tests/data/test486
+@@ -0,0 +1,105 @@
++<testcase>
++<info>
++<keywords>
++netrc
++HTTP
++</keywords>
++</info>
++#
++# Server-side
++<reply>
++<data crlf="yes">
++HTTP/1.1 301 Follow this you fool
++Date: Tue, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake
++Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
++ETag: "21025-dc7-39462498"
++Accept-Ranges: bytes
++Content-Length: 6
++Connection: close
++Location: http://b.com/%TESTNUMBER0002
++
++-foo-
++</data>
++
++<data2 crlf="yes">
++HTTP/1.1 200 OK
++Date: Tue, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake
++Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
++ETag: "21025-dc7-39462498"
++Accept-Ranges: bytes
++Content-Length: 7
++Connection: close
++
++target
++</data2>
++
++<datacheck crlf="yes">
++HTTP/1.1 301 Follow this you fool
++Date: Tue, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake
++Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
++ETag: "21025-dc7-39462498"
++Accept-Ranges: bytes
++Content-Length: 6
++Connection: close
++Location: http://b.com/%TESTNUMBER0002
++
++HTTP/1.1 200 OK
++Date: Tue, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake
++Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
++ETag: "21025-dc7-39462498"
++Accept-Ranges: bytes
++Content-Length: 7
++Connection: close
++
++target
++</datacheck>
++</reply>
++
++#
++# Client-side
++<client>
++<server>
++http
++</server>
++<features>
++proxy
++</features>
++<name>
++.netrc with redirect and "default" with no password or login
++</name>
++<command>
++--netrc --netrc-file log/netrc%TESTNUMBER -L -x http://%HOSTIP:%HTTPPORT/ http://a.com/
++</command>
++<file name="log/netrc%TESTNUMBER" >
++
++machine a.com
++  login alice
++  password alicespassword
++
++default
++
++</file>
++</client>
++
++<verify>
++<protocol>
++GET http://a.com/ HTTP/1.1
++Host: a.com
++Authorization: Basic %b64[alice:alicespassword]b64%
++User-Agent: curl/%VERSION
++Accept: */*
++Proxy-Connection: Keep-Alive
++
++GET http://b.com/%TESTNUMBER0002 HTTP/1.1
++Host: b.com
++User-Agent: curl/%VERSION
++Accept: */*
++Proxy-Connection: Keep-Alive
++
++</protocol>
++</verify>
++</testcase>
diff -Nru curl-7.88.1/debian/patches/series curl-7.88.1/debian/patches/series
--- curl-7.88.1/debian/patches/series	2025-01-20 03:22:01.000000000 +0100
+++ curl-7.88.1/debian/patches/series	2025-02-10 11:45:37.000000000 +0100
@@ -59,6 +59,9 @@
 url-use-same-credentials-on-redirect.patch
 CVE-2024-11053.patch
 
+# Patches from 8.12.0.
+CVE-2025-0167.patch
+
 # Do not add patches below.
 # Used to generate packages for the other crypto libraries.
 90_gnutls.patch

Bug#1098725: bookworm-pu: package curl/7.88.1-10+deb12u11

Reply via email to