CVE-2022-27779

NameCVE-2022-27779
Descriptionlibcurl wrongly allows cookies to be set for Top Level Domains (TLDs) if thehost name is provided with a trailing dot.curl can be told to receive and send cookies. curl's "cookie engine" can bebuilt with or without [Public Suffix List](https://publicsuffix.org/)awareness. If PSL support not provided, a more rudimentary check exists to atleast prevent cookies from being set on TLDs. This check was broken if thehost name in the URL uses a trailing dot.This can allow arbitrary sites to set cookies that then would get sent to adifferent and unrelated site or domain.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
curl (PTS)bullseye7.74.0-1.3+deb11u13fixed
bullseye (security)7.74.0-1.3+deb11u15fixed
bookworm7.88.1-10+deb12u14fixed
bookworm (security)7.88.1-10+deb12u5fixed
trixie8.14.1-2fixed
forky8.17.0~rc2-1fixed
sid8.17.0~rc3-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
curlsourcestretch(not affected)
curlsourcebuster(not affected)
curlsourcebullseye(not affected)
curlsource(unstable)7.83.1-1

Notes

[bullseye] - curl <not-affected> (Vulnerable code introduced later)
[buster] - curl <not-affected> (Vulnerable code introduced later)
[stretch] - curl <not-affected> (Vulnerable code introduced later)
https://www.openwall.com/lists/oss-security/2022/05/11/2
https://curl.se/docs/CVE-2022-27779.html
Introduced by: https://github.com/curl/curl/commit/b27ad8e1d3e68eb3214fcbb398ca436873aa7c67 (curl-7_82_0)
Fixed by: https://github.com/curl/curl/commit/7e92d12b4e6911f424678a133b19de670e183a59 (curl-7_83_1)
Search for package or bug name: Reporting problems