Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 13 Oct 2010 14:58:30 -0400 (EDT)
From: Josh Bressers <>
Cc: Daniel Stenberg <>,
        "Steven M. Christey" <>
Subject: Re: CVE Request -- cURL / mingw32-cURL -- Did not
 strip directory parts separated by backslashes, when downloading files

Please use CVE-2010-3842



----- "Jan Lieskovsky" <> wrote:

> Hello Steve, vendors,
>    cURL upstream has released new curl / libcurl v7.21.2 addressing
> one security flaw,
> specific for operating systems, where backslashes are used to separate
> directories from
> file names. More details follow:
> cURL did not properly cut off directory parts from user provided
> file name to be downloaded on operating systems, where backslashes
> are used to separate directories and file names. This could allow
> remote servers to create or overwrite files via a Content-Disposition
> header that suggests a crafted filename, and possibly execute
> arbitrary
> code as a consequence of writing to a certain file in a user's home
> directory. Different vulnerability than CVE-2010-2251, CVE-2010-2252
> and CVE-2010-2253.
> Note: As already mentioned in [2]. This flaw only affected those
>        operating systems, where backslash is used to separate
> directories
>        and file names, thus Microsoft Windows, Novell Netware, MSDOS,
> OS/2
>        and Symbian to mention some of them.
> References:
> [1]
> [2]
> Upstream patch:
> [3]
> Credit: Upstream acknowledges Dan Fandrich as the original reporter.
> Red Hat Bugzilla tracking system record:
> [4]
> Could you please allocate a CVE id for this issue?
> Thanks && Regards, Jan.
> --
> Jan iankko Lieskovsky / Red Hat Security Response Team

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ