[arch-security] [ASA-201501-9] curl: url request injection

[Remi Gacogne]

Arch Linux Security Advisory ASA-201501-9
=========================================

Severity: Low
Date    : 2015-01-18
CVE-ID  : CVE-2014-8150
Package : curl
Type    : url request injection
Remote  : Yes
Link    : https://wiki.archlinux.org/index.php/CVE

Summary
=======

The package curl before version 7.40.0-1 is vulnerable to an URL request
injection issue when using a HTTP proxy.

Resolution
==========

Upgrade to 7.40.0-1.

# pacman -Syu "curl>=7.40.0-1"

The problem has been fixed upstream in version 7.40.0.

Workaround
==========

Only use URLs that are carefully stripped from line feeds and carriage
returns.

Description
===========

When libcurl sends a request to a server via a HTTP proxy, it copies the
entire URL into the request and sends if off.
If the given URL contains line feeds and carriage returns those will be
sent along to the proxy too, which allows the program to for example
send a separate HTTP request injected embedded in the URL.
Many programs allow some kind of external sources to set the URL or
provide partial pieces for the URL to ask for, and if the URL as
received from the user is not stripped good enough this flaw allows
malicious users to do additional requests in a way that was not
intended, or just to insert request headers into the request that the
program didn't intend.


Impact
======

A remote attacker may be able to inject arbitrary HTTP headers, or even
send a completely new HTTP request by placing CRLF in the URL passed to
curl or libcurl.

References
==========

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8150
http://curl.haxx.se/docs/adv_20150108B.html
https://bugs.archlinux.org/task/43379

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20150119/88303262/attachment.asc>