-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2015.0062
           Multiple vulnerabilities have been identified in cURL
                               18 June 2015

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              curl
Operating System:     UNIX variants (UNIX, Linux, OSX)
                      Windows
Impact/Access:        Access Privileged Data -- Remote/Unauthenticated
                      Denial of Service      -- Remote/Unauthenticated
Resolution:           Patch/Upgrade
CVE Names:            CVE-2015-3237 CVE-2015-3236 
Member content until: Saturday, July 18 2015

OVERVIEW

        Multiple vulnerabilities have been identified in cURL versions 
        between 7.40.0 inclusive and 7.43.0. [1]


IMPACT

        The following details have been provided regarding the 
        vulnerabilities:
        
        CVE-2015-3236:
        
        "libcurl can wrongly send HTTP credentials when re-using 
        connections.
        
        libcurl allows applications to set credentials for the upcoming 
        transfer with HTTP Basic authentication, like with CURLOPT_USERPWD 
        for example. Name and password. Just like all other libcurl options
        the credentials are sticky and are kept associated with the "handle"
        until something is made to change the situation.
        
        Further, libcurl offers a curl_easy_reset() function that resets a 
        handle back to its pristine state in terms of all settable options.
        A reset is of course also supposed to clear the credentials. A reset
        is typically used to clear up the handle and prepare it for a new, 
        possibly unrelated, transfer.
        
        Within such a handle, libcurl can also store a set of previous 
        connections in case a second transfer is requested to a host name 
        for which an existing connection is already kept alive.
        
        With this flaw present, using the handle even after a reset would 
        make libcurl accidentally use those credentials in a subseqent 
        request if done to the same host name and connection as was 
        previously accessed.
        
        An example case would be first requesting a password protected 
        resource from one section of a web site, and then do a second 
        request of a public resource from a completely different part of the
        site without authentication. This flaw would then inadvertently leak
        the credentials in the second request." [2]
        
        CVE-2015-3237:
        
        "libcurl can get tricked by a malicious SMB server to send off data 
        it did not intend to.
        
        In libcurl's state machine function handling the SMB protocol 
        (smb_request_state()), two length and offset values are extracted 
        from data that has arrived over the network, and those values are 
        subsequently used to figure out what data range to send back.
        
        The values are used and trusted without boundary checks and are just
        assumed to be valid. This allows carefully handicrafted packages to
        trick libcurl into responding and sending off data that was not 
        intended. Or just crash if the values cause libcurl to access 
        invalid memory." [3]


MITIGATION

        Users are advised to upgrade cURL to version 7.43.0. [1-3]


REFERENCES

        [1] cURL -- Multiple Vulnerability
            http://www.vuxml.org/freebsd/2438d4af-1538-11e5-a106-3c970e169bc2.html

        [2] lingering HTTP credentials in connection re-use
            http://curl.haxx.se/docs/adv_20150617A.html

        [3] SMB send off unrelated memory contents
            http://curl.haxx.se/docs/adv_20150617B.html

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVYJIz36ZAP0PgtI9AQLAIw//e28qYRaKweCS64N3EbtVYwvxePozLI0M
+X14HXvGvMZ9e3ILMpw41oxKu78V1Q20QIB7tWDDzaun4mxtr/LXO+hedRUGZhyy
1VOqc9y3dMe8nc3qcGLBKrQ3XELUVs9wc8UVeJa3WPQ1XZ408mNguGj6O00+Pald
Nk+NO4YRqx7a/ihGxclVajDA0emaqUHcr3uamxTFleey1mkyu66jyGBUBOsZa/y3
+YwU0eRmvr/tX69k5wJQzaL1bEo0up4CRWpfdvpHkGmbaGaoFxH6Jez1d9D03Qpf
yWC4bXbdVgwYVbXYGx6oqe4iAGV0TuoFaGsjFLneBEf1+LAysg84Pb3cSznnXIs0
3ZawZY2E1XFkyp8Gc85w91ms8bxWfOE7oIab2DVsZ0hGSWXi9ZUrdg9pc+kPKEgb
kPtyhQRJki3PLwK3Z1RdhjymlxEn57Ema99xK+TyPIUbtLSIx5lqAL3c54QcVJxb
ji08+DWgrzP0pCwHwyoZnD0XCUniaBoAJ7Dgec4qHnmgE/r/y41jAqRw28PcoJB3
1I9Pmm7Yv/DJGSC7aP1/j+Ruht7sYRUxlt6skSS/G9ptU5GobE9oJZvBVI2eu/fl
WuhhYSiLU5iaWpVBDDEchLqR54dLuWRQkVzIMUhpt7FKWOIm8u2yCBsgzXEB/Pjc
ylC2Nba01LA=
=VUrT
-----END PGP SIGNATURE-----