Package: release.debian.org Control: affects -1 + src:curl X-Debbugs-Cc: [email protected] User: [email protected] Usertags: pu Tags: trixie Severity: normal
[ Reason ] Fix CVE-2025-11563, the previously accepted deb13u1 had an incomplete fix. The problem comes from upstream, which merged another commit to correctly fix the CVE. This upload carries the upstream fix. It's important to get this staged for the next point release, so we don't publish deb13u1 which incorrectly claims to fix the CVE. [ Impact ] - CVE-2025-11563 is a path traversal vulnerability where users might end up with the downloaded files placed in a folder outside of the current working directory unintentionally. - deb13u1 claims to have fixed this CVE but it's not correct, it's important to ship deb13u2 in the same point release to avoid having the incomplete fix published. [ Tests ] I've manually confirmed the fix works. Upstream has unit tests confirming it as well, those were broken and got fixed upstream. [ Risks ] This is a single-line change on the patch for CVE-2025-11563. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] Import upstream changes from https://github.com/curl/wcurl/pull/75 [ Other info ] Given the importance of getting this into the next point release, I'm uploading the package before the confirmation from the release team. I'm assuming this is ok given the release team has the choice of rejecting the package. Regards, -- Samuel Henrique <samueloph>
diff -Nru curl-8.14.1/debian/changelog curl-8.14.1/debian/changelog --- curl-8.14.1/debian/changelog 2025-10-05 14:03:32.000000000 -0700 +++ curl-8.14.1/debian/changelog 2025-11-09 06:49:56.000000000 -0800 @@ -1,3 +1,10 @@ +curl (8.14.1-2+deb13u2) trixie; urgency=medium + + * d/p/wcurl-CVE-2025-11563.patch: Pull upstream changes to actually fix + CVE-2025-11563 + + -- Samuel Henrique <[email protected]> Sun, 09 Nov 2025 06:49:56 -0800 + curl (8.14.1-2+deb13u1) trixie; urgency=medium [ Alex ] diff -Nru curl-8.14.1/debian/patches/wcurl-CVE-2025-11563.patch curl-8.14.1/debian/patches/wcurl-CVE-2025-11563.patch --- curl-8.14.1/debian/patches/wcurl-CVE-2025-11563.patch 2025-10-05 14:03:32.000000000 -0700 +++ curl-8.14.1/debian/patches/wcurl-CVE-2025-11563.patch 2025-11-09 06:49:56.000000000 -0800 @@ -1,4 +1,3 @@ -From 524f7e733237cd26553dfd76adda521d3150d852 Mon Sep 17 00:00:00 2001 From: Samuel Henrique <[email protected]> Date: Sun, 12 Oct 2025 14:39:46 +0100 Subject: [PATCH] Don't percent-decode '/' and '\' in output file name @@ -12,12 +11,14 @@ * Swap placement of logical AND (&&) operator in conditions of the if statement to match the new approach; i.e.; they are written in the beginning of the line instead of the end now. + * Pull fix from https://github.com/curl/wcurl/pull/75, prefixing values + in UNSAFE_PERCENT_ENCODE with "%". --- scripts/wcurl | 28 +++++++++++++++++++++++++--- 1 file changed, 25 insertions(+), 3 deletions(-) diff --git a/scripts/wcurl b/scripts/wcurl -index 84b981a..3d768a1 100755 +index 84b981a..a70c3b8 100755 --- a/scripts/wcurl +++ b/scripts/wcurl @@ -113,6 +113,13 @@ readonly PER_URL_PARAMETERS="\ @@ -29,7 +30,7 @@ +# characters. +# 2F = / +# 5C = \ -+readonly UNSAFE_PERCENT_ENCODE="2F 5C" ++readonly UNSAFE_PERCENT_ENCODE="%2F %5C" + # Whether to invoke curl or not. DRY_RUN="false"
