Re: CVE Request -- cURL / mingw32-cURL -- Did not strip directory parts separated by backslashes, when downloading files

[Josh Bressers <bressers () redhat com>]

Please use CVE-2010-3842

Thanks.

-- 
    JB


----- "Jan Lieskovsky" <jlieskov () redhat com> wrote:

> Hello Steve, vendors,
>
>    cURL upstream has released new curl / libcurl v7.21.2 addressing
> one security flaw,
> specific for operating systems, where backslashes are used to separate
> directories from
> file names. More details follow:
>
> cURL did not properly cut off directory parts from user provided
> file name to be downloaded on operating systems, where backslashes
> are used to separate directories and file names. This could allow
> remote servers to create or overwrite files via a Content-Disposition
> header that suggests a crafted filename, and possibly execute
> arbitrary
> code as a consequence of writing to a certain file in a user's home
> directory. Different vulnerability than CVE-2010-2251, CVE-2010-2252
> and CVE-2010-2253.
>
> Note: As already mentioned in [2]. This flaw only affected those
>        operating systems, where backslash is used to separate
> directories
>        and file names, thus Microsoft Windows, Novell Netware, MSDOS,
> OS/2
>        and Symbian to mention some of them.
>
> References:
> [1] http://curl.haxx.se/docs/security.html
> [2] http://curl.haxx.se/docs/adv_20101013.html
>
> Upstream patch:
> [3] http://curl.haxx.se/curl-content-disposition.patch
>
> Credit: Upstream acknowledges Dan Fandrich as the original reporter.
>
> Red Hat Bugzilla tracking system record:
> [4] https://bugzilla.redhat.com/show_bug.cgi?id=642642
>
> Could you please allocate a CVE id for this issue?
>
> Thanks && Regards, Jan.
> --
> Jan iankko Lieskovsky / Red Hat Security Response Team