CVE-2012-0036

Priority
Medium
Description
curl and libcurl 7.2x before 7.24.0 do not properly consider special
characters during extraction of a pathname from a URL, which allows remote
attackers to conduct data-injection attacks via a crafted URL, as
demonstrated by a CRLF injection attack on the (1) IMAP, (2) POP3, or (3)
SMTP protocol.
References
Notes
mdeslaur> curl 7.20.0 to and including 7.23.1 only
Assigned-to
mdeslaur
Package
Source: curl (LP Ubuntu Debian)
Upstream:released (7.24.0)
Ubuntu 8.04 LTS (Hardy Heron):not-affected (7.18.0-1ubuntu2.3)
Ubuntu 10.04 LTS (Lucid Lynx):not-affected (7.19.7-1ubuntu1.1)
Ubuntu 11.04 (Natty Narwhal):released (7.21.3-1ubuntu1.5)
Ubuntu 11.10 (Oneiric Ocelot):released (7.21.6-3ubuntu3.2)
Ubuntu 12.04 LTS (Precise Pangolin):released (7.22.0-3ubuntu2)
More Information

Valid XHTML 1.0 Strict

Updated: 2012-06-01 15:22:36 UTC (commit 5347)