=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2010/VULN407
_____________________________________________________________________

DATE                      : 14/10/2010

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running cURL.

======================================================================
http://curl.haxx.se/docs/adv_20101013.html
______________________________________________________________________

 Security Advisory October 13 2010

                           curl local file overwrite
                           =========================

Project cURL Security Advisory, October 13th 2010
http://curl.haxx.se/docs/security.html

1. VULNERABILITY

  curl offers a command line option --remote-header-name (also usable as -J)
  which will use the file name of the Content-disposition: header when it
  saves the downloaded data locally.

  curl attempts to cut off the directory parts from any given file name in the
  header to only store files in the current directory. It will overwrite a
  local file using the same name as the header specifies.

  The stripping of the directory did not take backslashes into account. On
  some operating systems, backslashes are used to separate directories and
  file names. This allows a rogue server to send back a response that
  overwrites a file name in the local machine that the user is allowed to
  write, potentially a system file, a command or a known executable.

  Operating systems affected include Windows, Netware, MSDOS, OS/2 and
  Symbian.

  This error is only present in the curl command line tool, it is NOT a
  problem of the library libcurl.

  There is no known exploit for this problem.

2. AFFECTED VERSIONS

  Affected versions: curl 7.20.0 to and including 7.21.1
  Not affected versions: curl < 7.20.0 and >= 7.21.2

  Also note that curl is used by many applications, and not always advertised
  as such.

3. THE SOLUTION

  libcurl 7.21.2 makes sure that it will also strip off paths specified using
  backslashes as path separator.

4. RECOMMENDATIONS

  We suggest you take one of the following actions immediately, in order of
  preference:

  A - Upgrade to curl and libcurl 7.21.2

  B - Apply this patch and rebuild

      http://curl.haxx.se/curl-content-disposition.patch

  C - Stop using the --remote-header-name/-J option

5. TIME LINE

  Dan Fandrich realized the problem exists and reported to the rest of the
  team on September 3 2010.

  We discussed solutions and a first patch was written and tested on September
  4th.

  curl 7.21.2 was released on October 13th 2010, just before this flaw was
  publicly disclosed.

6. CREDITS

  Reported to us by Dan Fandrich. Thanks a lot!

  Daniel Stenberg wrote the primary patch and this advisory

======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 23 - 25 Rue Daviel    | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================