Your message dated Sat, 15 Mar 2025 09:44:44 +0000
with message-id <e1tto4s-005ki3...@coccia.debian.org>
and subject line Close 1098725
has caused the Debian Bug report #1098725,
regarding bookworm-pu: package curl/7.88.1-10+deb12u11
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1098725: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098725
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: c...@packages.debian.org, to...@debian.org
Control: affects -1 + src:curl
User: release.debian....@packages.debian.org
Usertags: pu
[ Reason ]
This update fixes CVE-2025-0167.
[ Impact ]
When asked to use a .netrc file for credentials and to follow HTTP
redirects, curl could leak the password used for the first host to the
followed-to host under certain circumstances. This flaw only manifests
itself if the netrc file has a default entry that omits both login and
password.
According to upstream, this is a rare circumstance.
[ Tests ]
Upstream has created a new test case which checks that the vulnerability
has been fixed by the change. That test case has been backported by me
as well.
[ Risks ]
The risks should be minimal, because upstream has added tests to
validate the patch.
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Backported the upstream patch that fixes CVE-2025-0167. Added a test
case to check the change.
[ Other info ]
There is currently another curl update for bookworm pending, see Debian
bug #1098397. I've therefore only created a debdiff from
curl/7.88.1-10+deb12u10 to curl/7.88.1-10+deb12u11.
Regards,
Tobias
diff -Nru curl-7.88.1/debian/changelog curl-7.88.1/debian/changelog
--- curl-7.88.1/debian/changelog 2025-01-20 03:22:01.000000000 +0100
+++ curl-7.88.1/debian/changelog 2025-02-10 11:45:37.000000000 +0100
@@ -1,3 +1,14 @@
+curl (7.88.1-10+deb12u11) bookworm; urgency=medium
+
+ * Import patch for CVE-2025-0167.
+ - When asked to use a `.netrc` file for credentials **and** to follow HTTP
+ redirects, curl could leak the password used for the first host to the
+ followed-to host under certain circumstances. This flaw only manifests
+ itself if the netrc file has a `default` entry that omits both login
+ and password. A rare circumstance.
+
+ -- Dr. Tobias Quathamer <to...@debian.org> Mon, 10 Feb 2025 11:45:37 +0100
+
curl (7.88.1-10+deb12u10) bookworm; urgency=medium
* Team upload.
diff -Nru curl-7.88.1/debian/patches/CVE-2025-0167.patch curl-7.88.1/debian/patches/CVE-2025-0167.patch
--- curl-7.88.1/debian/patches/CVE-2025-0167.patch 1970-01-01 01:00:00.000000000 +0100
+++ curl-7.88.1/debian/patches/CVE-2025-0167.patch 2025-02-10 11:45:37.000000000 +0100
@@ -0,0 +1,174 @@
+From: Daniel Stenberg <dan...@haxx.se>
+Date: Fri, 3 Jan 2025 16:22:27 +0100
+Subject: [PATCH] netrc: 'default' with no credentials is not a match
+
+Test 486 verifies.
+
+Reported-by: Yihang Zhou
+
+Closes #15908
+
+Backported by: Dr. Tobias Quathamer <to...@debian.org>
+
+Changes:
+* Refresh patch context for lib/netrc.c
+* Use tests/data/Makefile.inc to add new test instead of
+ tests/data/Makefile.am, because that has only been
+ introduced in later versions of curl.
+* Replace "%LOGDIR" with "log" due to its absence in bookworm.
+---
+ lib/netrc.c | 15 ++++---
+ tests/data/Makefile.inc | 1 +
+ tests/data/test486 | 105 ++++++++++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 116 insertions(+), 5 deletions(-)
+ create mode 100644 tests/data/test486
+
+diff --git a/lib/netrc.c b/lib/netrc.c
+index fb1f495..2df76aa 100644
+--- a/lib/netrc.c
++++ b/lib/netrc.c
+@@ -260,11 +260,16 @@ static int parsenetrc(const char *host,
+ } /* while Curl_get_line() */
+
+ out:
+- if(!retcode && !password && our_login) {
+- /* success without a password, set a blank one */
+- password = strdup("");
+- if(!password)
+- retcode = 1; /* out of memory */
++ if(!retcode) {
++ if(!password && our_login) {
++ /* success without a password, set a blank one */
++ password = strdup("");
++ if(!password)
++ retcode = 1; /* out of memory */
++ }
++ else if(!login && !password)
++ /* a default with no credentials */
++ retcode = NETRC_FILE_MISSING;
+ }
+ if(!retcode) {
+ /* success */
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index ceedd38..0f6dd22 100644
+--- a/tests/data/Makefile.inc
++++ b/tests/data/Makefile.inc
+@@ -75,6 +75,7 @@ test430 test431 test432 test433 test434 test435 test436 \
+ test440 test441 test442 test443 test444 test445 test446 \
+ \
+ test478 test479 test480 \
++test486 \
+ \
+ test490 test491 test492 test493 test494 test495 test496 \
+ \
+diff --git a/tests/data/test486 b/tests/data/test486
+new file mode 100644
+index 0000000..d0d6d67
+--- /dev/null
++++ b/tests/data/test486
+@@ -0,0 +1,105 @@
++<testcase>
++<info>
++<keywords>
++netrc
++HTTP
++</keywords>
++</info>
++#
++# Server-side
++<reply>
++<data crlf="yes">
++HTTP/1.1 301 Follow this you fool
++Date: Tue, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake
++Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
++ETag: "21025-dc7-39462498"
++Accept-Ranges: bytes
++Content-Length: 6
++Connection: close
++Location: http://b.com/%TESTNUMBER0002
++
++-foo-
++</data>
++
++<data2 crlf="yes">
++HTTP/1.1 200 OK
++Date: Tue, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake
++Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
++ETag: "21025-dc7-39462498"
++Accept-Ranges: bytes
++Content-Length: 7
++Connection: close
++
++target
++</data2>
++
++<datacheck crlf="yes">
++HTTP/1.1 301 Follow this you fool
++Date: Tue, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake
++Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
++ETag: "21025-dc7-39462498"
++Accept-Ranges: bytes
++Content-Length: 6
++Connection: close
++Location: http://b.com/%TESTNUMBER0002
++
++HTTP/1.1 200 OK
++Date: Tue, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake
++Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
++ETag: "21025-dc7-39462498"
++Accept-Ranges: bytes
++Content-Length: 7
++Connection: close
++
++target
++</datacheck>
++</reply>
++
++#
++# Client-side
++<client>
++<server>
++http
++</server>
++<features>
++proxy
++</features>
++<name>
++.netrc with redirect and "default" with no password or login
++</name>
++<command>
++--netrc --netrc-file log/netrc%TESTNUMBER -L -x http://%HOSTIP:%HTTPPORT/ http://a.com/
++</command>
++<file name="log/netrc%TESTNUMBER" >
++
++machine a.com
++ login alice
++ password alicespassword
++
++default
++
++</file>
++</client>
++
++<verify>
++<protocol>
++GET http://a.com/ HTTP/1.1
++Host: a.com
++Authorization: Basic %b64[alice:alicespassword]b64%
++User-Agent: curl/%VERSION
++Accept: */*
++Proxy-Connection: Keep-Alive
++
++GET http://b.com/%TESTNUMBER0002 HTTP/1.1
++Host: b.com
++User-Agent: curl/%VERSION
++Accept: */*
++Proxy-Connection: Keep-Alive
++
++</protocol>
++</verify>
++</testcase>
diff -Nru curl-7.88.1/debian/patches/series curl-7.88.1/debian/patches/series
--- curl-7.88.1/debian/patches/series 2025-01-20 03:22:01.000000000 +0100
+++ curl-7.88.1/debian/patches/series 2025-02-10 11:45:37.000000000 +0100
@@ -59,6 +59,9 @@
url-use-same-credentials-on-redirect.patch
CVE-2024-11053.patch
+# Patches from 8.12.0.
+CVE-2025-0167.patch
+
# Do not add patches below.
# Used to generate packages for the other crypto libraries.
90_gnutls.patch
--- End Message ---
--- Begin Message ---
Version: 12.10
This update has been released as part of 12.10. Thank you for your contribution.
--- End Message ---
