Bug 11703

Summary: curl new security issue CVE-2013-4545
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: dan, sysadmin-bugs, tmb
Version: 3Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/574198/
Whiteboard: MGA2TOO has_procedure advisory MGA2-32-OK mga2-64-ok mga3-32-ok mga3-64-ok
Source RPM: curl-7.28.1-6.1.mga3.src.rpm CVE:
Status comment:

Description David Walser 2013-11-18 22:13:18 CET 
Debian has issued an advisory on November 17:
http://lists.debian.org/debian-security-announce/2013/msg00212.html

The upstream advisory for this issue is here:
http://curl.haxx.se/docs/adv_20131115.html

Cauldron is not affected as it was fixed upstream in 7.33.0.

Patched packages uploaded for Mageia 2 and Mageia 3.

Advisory:
========================

Updated curl packages fix security vulnerability:

Scott Cantor discovered that curl, a file retrieval tool, would disable the
CURLOPT_SSLVERIFYHOST check when the CURLOPT_SSL_VERIFYPEER setting was
disabled. This would also disable ssl certificate host name checks when it
should have only disabled verification of the certificate trust chain
(CVE-2013-4545).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4545
http://curl.haxx.se/docs/adv_20131115.html
http://www.debian.org/security/2013/dsa-2798
========================

Updated packages in core/updates_testing:
========================
curl-7.24.0-1.3.mga2
libcurl4-7.24.0-1.3.mga2
libcurl-devel-7.24.0-1.3.mga2
curl-examples-7.24.0-1.3.mga2
curl-7.28.1-6.2.mga3
libcurl4-7.28.1-6.2.mga3
libcurl-devel-7.28.1-6.2.mga3
curl-examples-7.28.1-6.2.mga3

from SRPMS:
curl-7.24.0-1.3.mga2.src.rpm
curl-7.28.1-6.2.mga3.src.rpm

Reproducible: 

Steps to Reproduce:
David Walser 2013-11-18 22:13:26 CET

Whiteboard: (none) => MGA2TOO

Comment 1 claire robinson 2013-11-19 10:51:31 CET 
Procedure: https://bugs.mageia.org/show_bug.cgi?id=4307#c11

Whiteboard: MGA2TOO => MGA2TOO has_procedure

Comment 2 claire robinson 2013-11-19 12:59:48 CET 
Advisory uploaded. Please remove the 'advisory' whiteboard tag if anything changes.

Whiteboard: MGA2TOO has_procedure => MGA2TOO has_procedure advisory

Comment 3 Dan Fandrich 2013-11-19 22:22:03 CET 
Tested successfully on mga2 x86 with procedure in comment#1, except using pop3s and imaps instead of pop3 and imap, respectively.

CC: (none) => dan

Comment 4 David Walser 2013-11-19 23:50:57 CET 
(In reply to Dan Fandrich from comment #3)
> Tested successfully on mga2 x86 with procedure in comment#1, except using
> pop3s and imaps instead of pop3 and imap, respectively.

I assume you mean i586.  Adding the whiteboard marker.  Thanks for testing, Dan.

Whiteboard: MGA2TOO has_procedure advisory => MGA2TOO has_procedure advisory MGA2-32-OK

Comment 5 claire robinson 2013-11-20 16:15:26 CET 
Testing complete mga2 64

Whiteboard: MGA2TOO has_procedure advisory MGA2-32-OK => MGA2TOO has_procedure advisory MGA2-32-OK mga2-64-ok

Comment 6 Samuel Verschelde 2013-11-20 16:18:20 CET 
Testing complete x86_64, but not testing pop3 because not sure if it would remove the mail from the server.
Comment 7 claire robinson 2013-11-20 16:26:07 CET 
It doesn't remove it Samuel. Thanks for testing.

Testing complete mga3 32 & 64

Validating.

Could sysadmin please push from 2&3 core/updates_testing to updates.

Thanks!

Keywords: (none) => validated_update
Whiteboard: MGA2TOO has_procedure advisory MGA2-32-OK mga2-64-ok => MGA2TOO has_procedure advisory MGA2-32-OK mga2-64-ok mga3-32-ok mga3-64-ok
CC: (none) => sysadmin-bugs

Comment 8 Thomas Backlund 2013-11-20 22:02:42 CET 
Update pushed:
http://advisories.mageia.org/MGASA-2013-0338.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

Comment 9 David Walser 2013-11-21 14:58:05 CET 
FYI, adding this patch to the Mageia 2 version of curl uncovered a bug in curl with the --insecure option, where that option should disable SSL host verification and fails to do so.  This was fixed in newer versions of curl, so Mageia 3 is unaffected.  I've have added the simple one-liner fix in Mageia 2 SVN to fix this, but I won't push for a bugfix update unless someone thinks it's really important.

References:
http://lists.debian.org/debian-security-announce/2013/msg00213.html
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=729965