Bug 14985

Summary: curl new security issue CVE-2014-8150
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: herman.viaene, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/628973/
Whiteboard: has_procedure advisory MGA4-64-OK MGA4-32-OK
Source RPM: curl-7.34.0-1.4.mga4.src.rpm CVE:
Status comment:

Description David Walser 2015-01-08 17:54:41 CET 
Upstream has issued an advisory today (January 8):
http://curl.haxx.se/docs/adv_20150108B.html

The issue is fixed upstream in 7.40.0 (freeze push requested for Cauldron) and there's a patch available.

Note: 7.40.0 also fixes CVE-2014-8151, which only affects Mac OS X and iOS.

Patched packages uploaded for Mageia 4.

Advisory:
========================

Updated curl packages fix security vulnerability:

When libcurl sends a request to a server via a HTTP proxy, it copies the
entire URL into the request and sends if off. If the given URL contains line
feeds and carriage returns those will be sent along to the proxy too, which
allows the program to for example send a separate HTTP request injected
embedded in the URL (CVE-2014-8150).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8150
http://curl.haxx.se/docs/adv_20150108B.html
========================

Updated packages in core/updates_testing:
========================
curl-7.34.0-1.5.mga4
libcurl4-7.34.0-1.5.mga4
libcurl-devel-7.34.0-1.5.mga4
curl-examples-7.34.0-1.5.mga4

from curl-7.34.0-1.5.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2015-01-08 17:55:12 CET 
Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=14468#c4

Whiteboard: (none) => has_procedure

Comment 2 Herman Viaene 2015-01-09 10:50:45 CET 
MGA4-64 on HP Probook 6555b KDE
ref testcases Comment 4
I did no try IMAP
Last 3 examples complete successfully.
The test on pop3 : mixed bag. Tried with 3 different providers:
one: responds : curl: (67) Authentication cancelled
second (gmail): just times out
third retrieves mail OK.

CC: (none) => herman.viaene
Whiteboard: has_procedure => has_procedure MGA4-64 OK

Comment 3 Herman Viaene 2015-01-09 10:51:35 CET 
Comment 4 on bug 14468.
Comment 4 Herman Viaene 2015-01-09 11:05:46 CET 
MGA4-32 on AcerD620 Xfce
Tests 1, 3, 4 and 5 as above OK

Whiteboard: has_procedure MGA4-64 OK => has_procedure MGA4-64 OK MGA4-32-OK

Herman Viaene 2015-01-09 11:06:36 CET

Whiteboard: has_procedure MGA4-64 OK MGA4-32-OK => has_procedure MGA4-64-OK MGA4-32-OK

Comment 5 claire robinson 2015-01-09 16:14:23 CET 
Validating. Advisory uploaded.

Please push to 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA4-64-OK MGA4-32-OK => has_procedure advisory MGA4-64-OK MGA4-32-OK
CC: (none) => sysadmin-bugs

Comment 6 David Walser 2015-01-09 17:19:00 CET 
Debian has issued an advisory for this on January 8:
https://www.debian.org/security/2015/dsa-3122

URL: (none) => http://lwn.net/Vulnerabilities/628973/

Comment 7 Mageia Robot 2015-01-09 17:44:52 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0020.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED