Bug 10595

Summary: curl new security issue CVE-2013-2174
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: martynvidler, oe, rverschelde, sysadmin-bugs
Version: 3Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/556156/
Whiteboard: MGA2TOO has_procedure MGA2-32-OK MGA3-32-OK MGA3-64-ok MGA2-64-OK
Source RPM: curl-7.28.1-6.mga3.src.rpm CVE:
Status comment:

Description David Walser 2013-06-23 02:11:29 CEST 
Upstream has issued an advisory today (June 22):
http://curl.haxx.se/docs/adv_20130622.html

Updated package uploaded for Cauldron (by Funda).

Patched packages uploaded for Mageia 2 and Mageia 3 (by me).

Advisory:
========================

Updated curl packages fix security vulnerability:

libcurl is vulnerable to a case of bad checking of the input data which may
lead to heap corruption. The function curl_easy_unescape() decodes URL encoded
strings to raw binary data. URL encoded octets are represented with %HH
combinations where HH is a two-digit hexadecimal number. The decoded string is
written to an allocated memory area that the function returns to the caller
(CVE-2013-2174)

References:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2174
http://curl.haxx.se/docs/adv_20130622.html
========================

Updated packages in core/updates_testing:
========================
curl-7.24.0-1.2.mga2
libcurl4-7.24.0-1.2.mga2
libcurl-devel-7.24.0-1.2.mga2
curl-examples-7.24.0-1.2.mga2
curl-7.28.1-6.1.mga3
libcurl4-7.28.1-6.1.mga3
libcurl-devel-7.28.1-6.1.mga3
curl-examples-7.28.1-6.1.mga3

from SRPMS:
curl-7.24.0-1.2.mga2.src.rpm
curl-7.28.1-6.1.mga3.src.rpm

Reproducible: 

Steps to Reproduce:
David Walser 2013-06-23 02:11:35 CEST

Whiteboard: (none) => MGA2TOO

Comment 1 Rémi Verschelde 2013-06-23 13:24:12 CEST 
Tested that curl still works as expected on mga3 i586, following Claire's procedure from https://bugs.mageia.org/show_bug.cgi?id=4307#c11 (should we add it to the QA testing procedures on the wiki?)

If it's not enough, please remove MGA3-OK-32 from the whiteboard.

CC: (none) => remi
Whiteboard: MGA2TOO => MGA2TOO MGA3-32-OK

Comment 2 Rémi Verschelde 2013-06-23 13:33:21 CEST 
Tested that urpmi --curl stills works as intended, too.
Comment 3 Rémi Verschelde 2013-06-23 14:47:49 CEST 
Testing complete from mga2 i586 (VM).

Whiteboard: MGA2TOO MGA3-32-OK => MGA2TOO MGA2-32-OK MGA3-32-OK

Comment 4 martyn vidler 2013-06-23 16:01:17 CEST 
MGA3 64 

Followed same test as Comment 1 all ran as expected

CC: (none) => martynvidler
Whiteboard: MGA2TOO MGA2-32-OK MGA3-32-OK => MGA2TOO MGA2-32-OK MGA3-32-OK MGA3-64-ok

David Walser 2013-06-24 20:00:11 CEST

URL: (none) => http://lwn.net/Vulnerabilities/556156/

Samuel Verschelde 2013-06-26 11:45:34 CEST

Whiteboard: MGA2TOO MGA2-32-OK MGA3-32-OK MGA3-64-ok => MGA2TOO has_procedure MGA2-32-OK MGA3-32-OK MGA3-64-ok

Comment 5 Samuel Verschelde 2013-06-26 11:52:15 CEST 
Testing complete mga2 64

Whiteboard: MGA2TOO has_procedure MGA2-32-OK MGA3-32-OK MGA3-64-ok => MGA2TOO has_procedure MGA2-32-OK MGA3-32-OK MGA3-64-ok MGA2-64-OK

Comment 6 claire robinson 2013-06-26 12:03:13 CEST 
Validating. Advisory uploaded.

Could sysadmin please push from 2 & 3 core/updates_testing to core/updates

Thanks!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 7 Nicolas Vigier 2013-06-26 20:52:07 CEST 
http://advisories.mageia.org/MGASA-2013-0188.html

Status: NEW => RESOLVED
CC: (none) => boklm
Resolution: (none) => FIXED

Comment 8 Oden Eriksson 2013-06-27 11:09:05 CEST 
FYI. There is a PoC for this:

wget "https://bugzilla.redhat.com/attachment.cgi?id=761296" -O
CVE-2013-2174-poc.c
gcc -o CVE-2013-2174-poc CVE-2013-2174-poc.c -lcurl
./CVE-2013-2174-poc

(tested, all ok)

CC: (none) => oe

Nicolas Vigier 2014-05-08 18:06:08 CEST

CC: boklm => (none)