PublicDateAtUSN: 2012-01-24
Candidate: CVE-2012-0036
PublicDate: 2012-04-13 20:55:00 UTC
References: 
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0036
 http://curl.haxx.se/docs/adv_20120124.html
 https://ubuntu.com/security/notices/USN-1346-1
Description:
 curl and libcurl 7.2x before 7.24.0 do not properly consider special
 characters during extraction of a pathname from a URL, which allows remote
 attackers to conduct data-injection attacks via a crafted URL, as
 demonstrated by a CRLF injection attack on the (1) IMAP, (2) POP3, or (3)
 SMTP protocol.
Ubuntu-Description: 
Notes: 
 mdeslaur> curl 7.20.0 to and including 7.23.1 only
Bugs: 
Priority: medium
Discovered-by: Dan Fandrich
Assigned-to: mdeslaur
CVSS: 

Patches_curl:
upstream_curl: released (7.24.0)
hardy_curl: not-affected (7.18.0-1ubuntu2.3)
lucid_curl: not-affected (7.19.7-1ubuntu1.1)
maverick_curl: released (7.21.0-1ubuntu1.3)
natty_curl: released (7.21.3-1ubuntu1.5)
oneiric_curl: released (7.21.6-3ubuntu3.2)
devel_curl: released (7.22.0-3ubuntu2)