debcrafters-packages team mailing list archive

[Marc Deslauriers <2118865@xxxxxxxxxxxxxxxxxx>]

I have uploaded a curl package for jammy that fixes this issue in the
security team ppa here:

https://launchpad.net/~ubuntu-security-
proposed/+archive/ubuntu/ppa/+packages

Please test it to make sure it fixes the regression in your environment
and leave a comment here. Once it has been tested successfully, I will
release it as a regression fix.

Thanks!

-- 
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to curl in Ubuntu.
https://bugs.launchpad.net/bugs/2118865

Title:
  libcurl outgoing Cookie header field size check is broken

Status in curl package in Ubuntu:
  Fix Released
Status in curl source package in Jammy:
  In Progress

Bug description:
  libcurl's check to limit outgoing Cookier header field size is broken.
  The implementation in Jammy's libcurl4-7.81.0* was backported from a
  newer curl (as part of CVE-2022-32205) but that implementation is
  buggy and mistakenly checks against the entire outgoing request size,
  instead of the cookie header size.

  Upstream curl has fixed this, and the (simple) fix should be
  backported to here too.

  For example, if someone has a big request header (very common with
  different authentication schemes like big JWT/bearer tokens or
  Kerberos/SPNEGO), curl will drop cookies even though the cookies are
  tiny.

  Here is curl's original fix for CVE-2022-32205: https://github.com/curl/curl/commit/48d7064a49148f03942380967da739dcde1cdc24
  Here is the bugfix that correctly tracks the Cookie header size: https://github.com/curl/curl/commit/d40e5cc9a3c7c5ba88523be0272f842ca8672357

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/curl/+bug/2118865/+subscriptions