| Summary: | curl new security issue CVE-2014-3707 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | dan, herman.viaene, lewyssmith, olchal, olivier, rverschelde, shlomif, sysadmin-bugs, tarazed25 |
| Version: | 4 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/619474/ | ||
| Whiteboard: | MGA3TOO has_procedure advisory MGA3-64-OK MGA4-64-OK MGA4-32-OK MGA3-32-OK | ||
| Source RPM: | curl-7.34.0-1.3.mga4.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2014-11-05 20:38:17 CET
David Walser
2014-11-05 20:38:24 CET
Whiteboard:
(none) =>
MGA4TOO, MGA3TOO Dan, I tried updating to 7.39.0, but test 2034 failed: http://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/20141105224234.ennael.valstar.518/log/curl-7.39.0-1.mga5/build.0.20141105224306.log For now I've backported the patch, but it'd be nice if we could get 7.39.0 built. CC:
(none) =>
dan Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron. I don't have a concise description of the issue for now, so see the upstream advisory. I'll post an advisory once another distro provides a concise description. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3707 http://curl.haxx.se/docs/adv_20141105.html ======================== Updated packages in core/updates_testing: ======================== curl-7.28.1-6.6.mga3 libcurl4-7.28.1-6.6.mga3 libcurl-devel-7.28.1-6.6.mga3 curl-examples-7.28.1-6.6.mga3 curl-7.34.0-1.4.mga4 libcurl4-7.34.0-1.4.mga4 libcurl-devel-7.34.0-1.4.mga4 curl-examples-7.34.0-1.4.mga4 from SRPMS: curl-7.28.1-6.6.mga3.src.rpm curl-7.34.0-1.4.mga4.src.rpm Version:
Cauldron =>
4 Test 2034 failing in some environments is a known issue without a solution yet: http://curl.haxx.se/mail/lib-2014-11/0040.html I suggest just disabling it (with !2034 in the test line) for the moment until it's figured out upstream. Testing procedure (based off https://bugs.mageia.org/show_bug.cgi?id=4307#c11 but updated): $ curl pop3://<login>:<password>@<mailhost>/1 to retrieve first email from pop3 $ curl imap://<login>:<password>@<mailhost> to do the same with imap $ curl -L https://<some-website.com> shows website source $ curl -l ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/4/i586/media/core/updates/ shows ftp directory listing $ curl -o qarte.rpm ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/4/i586/media/core/updates/qarte-2.2.0-1.mga4.noarch.rpm CC:
(none) =>
remi Tested on Mageia3-64 following procedure in comment 4. First tested with core package : # rpm -q curl curl-7.28.1-6.5.mga3 all 5 tests OK Then updated to testing packages : - curl-7.28.1-6.6.mga3.x86_64 - lib64curl4-7.28.1-6.6.mga3.x86_64 All 5 tests passed. CC:
(none) =>
olchal Debian has issued an advisory for this today (November 7): https://lists.debian.org/debian-security-announce/2014/msg00257.html Advisory: ======================== Updated curl packages fix security vulnerability: Symeon Paraschoudis discovered that the curl_easy_duphandle() function in cURL has a bug that can lead to libcurl eventually sending off sensitive data that was not intended for sending, while performing a HTTP POST operation. This bug requires CURLOPT_COPYPOSTFIELDS and curl_easy_duphandle() to be used in that order, and then the duplicate handle must be used to perform the HTTP POST. The curl command line tool is not affected by this problem as it does not use this sequence (CVE-2014-3707). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3707 http://curl.haxx.se/docs/adv_20141105.html https://www.debian.org/security/2014/dsa-3069 URL:
(none) =>
http://lwn.net/Vulnerabilities/619474/ Tests passed OK for curl-7.34.0-1.4.mga4 on x86_64: HTTPS/FTP/FTP -o Not tested: IMAP/POP3 CC:
(none) =>
olivier The curl package has an extensive build-time test suite containing hundreds of tests. It does not need to be extensively tested after the fact. If it installs cleanly and there's no obvious regressions, it's fine. Confirming MGA4 x64 Comment 7 Comment 9. Tried the last 3 examples from Comment 4 both *before* and *after* the update. Results were the same: $ curl -L https://<some-website.com> fetched the page source. $ curl -l ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/4/i586/media/core/updates/ listed the packages. $ curl -o qarte.rpm ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/4/i586/media/core/updates/qarte-2.2.0-1.mga4.noarch.rpm downloaded the qarte.rpm file. In the light of Comment 8, OKing this. CC:
(none) =>
lewyssmith Tested fine with http:// and https:// on MGA4-32-OK. CC:
(none) =>
shlomif Forgot this... In the CVE etc, and Comment 6 "The curl command line tool is not affected by this problem" I wonder at the relevance of the tests done. Curl's own description says, in addition, "libcurl is used by many applications". Apologies in advance if this remark is invalid. Tested fine with http:// and https:// on MGA3-32-OK. Whiteboard:
MGA3TOO has_procedure MGA3-64-OK MGA4-64-OK <GA4-32-OK =>
MGA3TOO has_procedure MGA3-64-OK MGA4-64-OK MGA4-32-OK MGA3-32-OK Validating. Advisory uploaded. Could sysadmin please push to 3 & 4 updates Thanks Keywords:
(none) =>
validated_update W.r.t. comment 6, these tests aren't to ensure that the security issue has been patched, but rather to ensure that there haven't been regressions in core curl functionality. Test 545 in the curl test suite does a check for regressions in the functionality affected by the patch, and that's run at RPM build time. An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0444.html Status:
NEW =>
RESOLVED MGA4-64 on HP Probook 6555b KDE ref testcases Comment 4 I did no try IMAP Last 3 examples complete successfully. The test on pop3 : mixed bag. Tried with 3 different providers: one: responds : curl: (67) Authentication cancelled second (gmail): just times out third retrieves mail OK. @comment 17: sorry, I updated wrong bug. Just to rubber-stamp it ran this in a 32-bit vbox. Executed the website and download tests after the update and all is well. CC:
(none) =>
tarazed25 So did I. |