Package: release.debian.org Severity: normal Tags: trixie X-Debbugs-Cc: [email protected], [email protected] Control: affects -1 + src:curl User: [email protected] Usertags: pu
[ Reason ] The curl package version in debian Trixie is affected by the CVE: https://security-tracker.debian.org/tracker/CVE-2025-13034 The updated version contains the patch, backported from upstream. [ Impact ] If not approved, installations on Trixie will stay vulnerable to the exploit CVE-2025-13034: Under certain conditions, skips certificate checks. More info on the link below. https://curl.se/docs/CVE-2025-13034.html [ Tests ] All upstream tests are run as part of the autopkgtest suite and have passed. [ Risks ] Errors in backporting the patch such that it introduces regressions or doesn't close the vulnerability were not caught by upstream tests. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] * The backport patch removes the condition for checking the certificate, thus always checking it's validity. [ Other info ] The issue has been fixed in version 8.18, but a patch to the 8.14 version is yet to be applied on debian (Bookworm and older versions are not affected). The link for the merge request that contains the patch is: https://salsa.debian.org/debian/curl/-/commit/6a85f51f6458a95750816604a0c7887b6cf62b41
diff -Nru curl-8.14.1/debian/changelog curl-8.14.1/debian/changelog --- curl-8.14.1/debian/changelog 2025-11-09 11:49:56.000000000 -0300 +++ curl-8.14.1/debian/changelog 2026-01-29 23:20:09.000000000 -0300 @@ -1,3 +1,10 @@ +curl (8.14.1-2+deb13u3) UNRELEASED; urgency=medium + + * Team upload. + * d/p/CVE-2025-13034.patch: cherry-pick from upstream + + -- Matheus Souza Zanzin <[email protected]> Thu, 29 Jan 2026 23:20:09 -0300 + curl (8.14.1-2+deb13u2) trixie; urgency=medium * d/p/wcurl-CVE-2025-11563.patch: Pull upstream changes to actually fix diff -Nru curl-8.14.1/debian/patches/CVE-2025-13034.patch curl-8.14.1/debian/patches/CVE-2025-13034.patch --- curl-8.14.1/debian/patches/CVE-2025-13034.patch 1969-12-31 21:00:00.000000000 -0300 +++ curl-8.14.1/debian/patches/CVE-2025-13034.patch 2026-01-29 23:20:09.000000000 -0300 @@ -0,0 +1,45 @@ +From: Daniel Stenberg <[email protected]> +Date: Fri, 14 Nov 2025 16:42:23 +0100 +Subject: [PATCH] vquic-tls/gnutls: call Curl_gtls_verifyserver unconditionally + +Closes #19531 + +[PATCH] When using `CURLOPT_PINNEDPUBLICKEY` option with libcurl or `--pinnedpubkey` +with the curl tool, curl should check the public key of the server certificate to +verify the peer. This check was skipped in a certain condition that would then make +curl allow the connection without performing the proper check, thus not noticing a +possible impostor. To skip this check, the connection had to be done with QUIC with +ngtcp2 built to use GnuTLS and the user had to explicitly disable the standard +certificate verification. + +Backported-by: Matheus Souza Zanzin <[email protected]> + * removes host verification so that it always verifies. +Origin: backport, https://github.com/curl/curl/commit/3d91ca8cdb3b434226e743946d428b4dd3acf2c9 +Last-Update: 2026-01-29 +--- + lib/vquic/vquic-tls.c | 12 +++++------- + 1 file changed, 5 insertions(+), 7 deletions(-) + +diff --git a/lib/vquic/vquic-tls.c b/lib/vquic/vquic-tls.c +index 2a5be13..b8b0e6b 100644 +--- a/lib/vquic/vquic-tls.c ++++ b/lib/vquic/vquic-tls.c +@@ -169,13 +169,11 @@ CURLcode Curl_vquic_tls_verify_peer(struct curl_tls_ctx *ctx, + (void)conn_config; + result = Curl_oss_check_peer_cert(cf, data, &ctx->ossl, peer); + #elif defined(USE_GNUTLS) +- if(conn_config->verifyhost) { +- result = Curl_gtls_verifyserver(data, ctx->gtls.session, +- conn_config, &data->set.ssl, peer, +- data->set.str[STRING_SSL_PINNEDPUBLICKEY]); +- if(result) +- return result; +- } ++ result = Curl_gtls_verifyserver(data, ctx->gtls.session, ++ conn_config, &data->set.ssl, peer, ++ data->set.str[STRING_SSL_PINNEDPUBLICKEY]); ++ if(result) ++ return result; + #elif defined(USE_WOLFSSL) + (void)data; + if(conn_config->verifyhost) { diff -Nru curl-8.14.1/debian/patches/series curl-8.14.1/debian/patches/series --- curl-8.14.1/debian/patches/series 2025-11-09 11:49:56.000000000 -0300 +++ curl-8.14.1/debian/patches/series 2026-01-29 23:20:09.000000000 -0300 @@ -16,3 +16,4 @@ wcurl-Fix-example-for-continue-at.patch # CVE-2025-11563 wcurl-CVE-2025-11563.patch +CVE-2025-13034.patch
