debcrafters-packages team mailing list archive

Thread
Date

[Bug 2118865] Re: libcurl outgoing Cookie header field size check is broken

To: debcrafters-packages@xxxxxxxxxxxxxxxxxxx
From: Simon Poirier <2118865@xxxxxxxxxxxxxxxxxx>
Date: Mon, 28 Jul 2025 22:58:40 -0000
Reply-to: Bug 2118865 <2118865@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

** Changed in: curl (Ubuntu)
   Importance: Undecided => Medium

** Changed in: curl (Ubuntu)
       Status: New => Triaged

** Tags added: dcr-incoming

-- 
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to curl in Ubuntu.
https://bugs.launchpad.net/bugs/2118865

Title:
  libcurl outgoing Cookie header field size check is broken

Status in curl package in Ubuntu:
  Triaged

Bug description:
  libcurl's check to limit outgoing Cookier header field size is broken.
  The implementation in Jammy's libcurl4-7.81.0* was backported from a
  newer curl (as part of CVE-2022-32205) but that implementation is
  buggy and mistakenly checks against the entire outgoing request size,
  instead of the cookie header size.

  Upstream curl has fixed this, and the (simple) fix should be
  backported to here too.

  For example, if someone has a big request header (very common with
  different authentication schemes like big JWT/bearer tokens or
  Kerberos/SPNEGO), curl will drop cookies even though the cookies are
  tiny.

  Here is curl's original fix for CVS-2022-32205: https://github.com/curl/curl/commit/48d7064a49148f03942380967da739dcde1cdc24
  Here is the bugfix that correctly tracks the Cookie header size: https://github.com/curl/curl/commit/d40e5cc9a3c7c5ba88523be0272f842ca8672357

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/curl/+bug/2118865/+subscriptions

References

[Bug 2118865] [NEW] libcurl outgoing Cookie header field size check is broken
From: Adam Batkin, 2025-07-27