7723 – [Anolis OS 23] Bugfix for CVE-2023-46218

Bug 7723 - [Anolis OS 23] Bugfix for CVE-2023-46218

Summary: [Anolis OS 23] Bugfix for CVE-2023-46218

Status:	RESOLVED FIXED

Alias:	None

Product:	Anolis OS 23
Classification:	Anolis OS
Component:	BaseOS Packages (show other bugs)	BaseOS Packages
Sub Component:
Version:	unspecified
Hardware:	All Linux

Importance:	P4-Low S4-trivial
Target Milestone:	---
Assignee:	happy_orange
QA Contact:	bolong_tbl

URL:
Whiteboard:
Keywords:	CVE

Depends on:
Blocks:

Reported:	2023-12-12 19:50 UTC by 小龙
Modified:	2023-12-12 19:51 UTC (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description 小龙 admin

2023-12-12 19:50:56 UTC

Description:
This flaw allows a malicious HTTP server to set "super cookies" in curl that are then passed back to more origins than what is otherwise allowed or possible. This allows a site to set cookies that then would get sent to different and unrelated sites and domains. It could do this by exploiting a mixed case flaw in curl's function that verifies a given cookie domain against the Public Suffix List (PSL). For example a cookie could be set with `domain=co.UK` when the URL used a lower case hostname `curl.co.uk`, even though `co.uk` is listed as a PSL domain.

Broken commit info:
https://github.com/curl/curl/commit/e77b5b7453c1e8c

Bugfix commit info:
https://github.com/curl/curl/commit/2b0994c29a721c91c57

Comment 1 小龙 admin

2023-12-12 19:51:06 UTC

PR: 
https://e.gitee.com/openanolis/repos/src-anolis-os/curl/pulls/33?tab=files