| Summary: | curl new security issues CVE-2015-314[3458] | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | lewyssmith, sysadmin-bugs |
| Version: | 4 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/641423/ | ||
| Whiteboard: | has_procedure advisory MGA4-64-OK | ||
| Source RPM: | curl-7.40.0-1.mga5.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2015-04-22 16:58:58 CEST
David Walser
2015-04-22 16:59:12 CEST
Whiteboard:
(none) =>
MGA5TOO, MGA4TOO Debian has issued an advisory for this today (April 22): https://lists.debian.org/debian-security-announce/2015/msg00120.html I see in this commit for wheezy where they had to also add an intermediate commit to introduce the code that was patched in the CVE-2015-3148 patch: http://anonscm.debian.org/cgit/collab-maint/curl.git/commit/?h=wheezy&id=3f23fac29df7fe42fab32e32152c1f3102cab9e4 It's not clear to me how this isn't just introducing the vulnerability and then fixing it, but I guess I'm missing something. I'll add the additional patch. Patches checked into Mageia 4 and Cauldron SVN. Freeze push requested for Cauldron. The DSA referenced above will be posted here: https://www.debian.org/security/2015/dsa-3232
David Walser
2015-04-22 19:30:04 CEST
URL:
(none) =>
http://lwn.net/Vulnerabilities/641423/ The extra Debian patch isn't introducing the vulnerability; rather it's fixing a GSS data structure lifetime issue that doesn't affect connection reuse. Frankly, I'm a bit surprised Negotiate worked at all without that patch (Negotiate is not covered by the curl test suite, unfortunately). It's the connclose() call in the CVE-3148 patch that fixes the security issue, and it could also have been applied by rediffing the patch. But, I think the current set of patches in SVN is a better solution; I'm happy with what I see there now. Thanks for taking care of this.
Dan Fandrich
2015-04-22 22:43:33 CEST
Assignee:
dan =>
luigiwalser Patched packages uploaded for Mageia 4 and Cauldron. Advisory: ======================== Updated curl packages fix security vulnerabilities: NTLM-authenticated connections could be wrongly reused for requests without any credentials set, leading to HTTP requests being sent over the connection authenticated as a different user (CVE-2015-3143). When parsing HTTP cookies, if the parsed cookie's "path" element consists of a single double-quote, libcurl would try to write to an invalid heap memory address. This could allow remote attackers to cause a denial of service (crash) (CVE-2015-3145). When doing HTTP requests using the Negotiate authentication method along with NTLM, the connection used would not be marked as authenticated, making it possible to reuse it and send requests for one user over the connection authenticated as a different user (CVE-2015-3148). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3143 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3145 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3148 http://curl.haxx.se/docs/adv_20150422A.html http://curl.haxx.se/docs/adv_20150422D.html http://curl.haxx.se/docs/adv_20150422B.html https://www.debian.org/security/2015/dsa-3232 ======================== Updated packages in core/updates_testing: ======================== curl-7.34.0-1.6.mga4 libcurl4-7.34.0-1.6.mga4 libcurl-devel-7.34.0-1.6.mga4 curl-examples-7.34.0-1.6.mga4 from curl-7.34.0-1.6.mga4.src.rpm Version:
Cauldron =>
4 Testing reference: https://bugs.mageia.org/show_bug.cgi?id=14468#c4 Testing MGA4 x64 real hardware. With latest issued curl, did tests 1 3 4 5, saved their ouptut. Updated to: curl-7.34.0-1.6.mga4 lib64curl4-7.34.0-1.6.mga4 and re-ran the same 4 tests, again saving their output. Compared the pre & post outputs, all of which were identical apart from hidden token values in a web page (Bug 14468). OK. CC:
(none) =>
lewyssmith Validating. Advisory uploaded. Please push to 4 updates Thanks Keywords:
(none) =>
validated_update An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0179.html Status:
NEW =>
RESOLVED |