CVE-2012-0036

Publication date 24 January 2012

Last updated 24 July 2024

Ubuntu priority

curl and libcurl 7.2x before 7.24.0 do not properly consider special characters during extraction of a pathname from a URL, which allows remote attackers to conduct data-injection attacks via a crafted URL, as demonstrated by a CRLF injection attack on the (1) IMAP, (2) POP3, or (3) SMTP protocol.

Read the notes from the security team

Status

Show unmaintained releases

No maintained releases are affected by this CVE.

Package	Ubuntu Release	Status
curl	11.10 oneiric	Fixed 7.21.6-3ubuntu3.2
	11.04 natty	Fixed 7.21.3-1ubuntu1.5
	10.10 maverick	Fixed 7.21.0-1ubuntu1.3
	10.04 LTS lucid	Not affected
	8.04 LTS hardy	Not affected

How can I get the fixes?
What do statuses mean?

Notes

mdeslaur

curl 7.20.0 to and including 7.23.1 only

References

MITRE
NVD
Launchpad
Debian

Related Ubuntu Security Notices (USN)

USN-1346-1
curl vulnerability
24 January 2012

Other references

http://curl.haxx.se/docs/adv_20120124.html
https://www.cve.org/CVERecord?id=CVE-2012-0036