Bug 17077

Summary: python-curl new use-after-free issue fixed upstream in 7.19.5.2
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, herman.viaene, makowski.mageia, sysadmin-bugs, tarazed25
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/663522/
Whiteboard: MGA5-32-OK mga5-64-ok advisory
Source RPM: python-curl-7.19.5-5.mga6.src.rpm CVE:
Status comment:
Attachments: testpy2.py - test script for python 2
testpy3.py - test script for python 3

Description David Walser 2015-11-03 15:26:46 CET 
A CVE has been requested for an issue fixed upstream in python-curl:
http://openwall.com/lists/oss-security/2015/11/03/4

The commit to fix it is linked in the message above.

Reproducible: 

Steps to Reproduce:
Comment 1 Philippe Makowski 2015-11-03 23:14:58 CET 
ok I will move Cauldron to 7.19.5.2 or 7.19.5.3
and will patch python-curl-7.19.5-4.mga5.src.rpm

Status: NEW => ASSIGNED

Comment 2 Philippe Makowski 2015-11-05 19:57:48 CET 
done in 
python-curl-7.19.5.3-1.mga6
python3-curl-7.19.5.3-1.mga6

and 

python-curl-7.19.5-4.1.mga5
python3-curl-7.19.5-4.1.mga5

Assignee: makowski.mageia => security

Comment 3 David Walser 2015-11-05 20:06:28 CET 
Thanks.  MITRE had some questions about whether it's a real security issue or not, so holding off on assigning to QA until there's more clarity there.

CC: (none) => makowski.mageia
Version: Cauldron => 5

Comment 4 David Walser 2015-11-06 14:59:32 CET 
Fedora has issued an advisory for this on November 5:
https://lists.fedoraproject.org/pipermail/package-announce/2015-November/170967.html

Let's go ahead with this.

Advisory:
========================

Updated python-curl packages fix security vulnerability:

A use-after-free vulnerability was found in Curl object's HTTPPOST setopt when
a Unicode value is passed as a value with a FORM_BUFFERPTR. The str object
created from the passed in unicode object would have its buffer used but the
unicode object would be stored instead of the str object (rhbz#1277488).

References:
http://openwall.com/lists/oss-security/2015/11/03/4
https://lists.fedoraproject.org/pipermail/package-announce/2015-November/170967.html

Assignee: security => qa-bugs

David Walser 2015-11-06 20:29:24 CET

URL: (none) => http://lwn.net/Vulnerabilities/663522/

Comment 5 Herman Viaene 2015-11-10 16:00:36 CET 
MGA5-32 on AcerD620 Xfce
No installation issues.
Found virtaal to be a dependent package. Run it with both the old version and then the updated after checking with strace that the python-curl package is used by it.
No problems found.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA5-32-OK

Comment 6 Len Lawrence 2015-11-10 16:59:22 CET 
mga5  x86_64  Mate

Upgraded the packages to
python-curl-7.19.5-4.1.mga5
python3-curl-7.19.5-4.1.mga5

$ urpmq --whatrequires python-curl
bzr
fence-agents
miro
oz
python-curl
python-tornado
python-urlgrabber
shinken
virtaal
wfuzz

Nothing familiar there except miro so I installed miro and attempted to run it.  Nothing seemed to happen.  At the command line it simply hung and needed to be killed from another terminal.  From the menu nothing happened.  Tried running it under strace and saw that it used gdb but could not see anything helpful in the out put but it exited normally.  Specified a local video file at the command line.  No result.

$ miro --unittest
This performed 709 tests and reported 4 errors.  ??
Cannot tell from this if python-curl is OK or not but miro does not work anyway.

$ urpmq --whatrequires python3-curl
python3-curl
system-config-printer-libs

Will try this on another test system which needs to have a printer queue added, later.

CC: (none) => tarazed25

Comment 7 Herman Viaene 2015-11-10 17:08:05 CET 
I had the same problem with miro with the previous stable version of python-curl as Lewis in Comment 6. Gave up on that.
Comment 8 Herman Viaene 2015-11-10 17:08:56 CET 
Sorry, Len not Lewis.
Comment 9 Philippe Makowski 2015-11-10 17:24:52 CET 
you also have some samples here : http://pycurl.sourceforge.net/doc/quickstart.html
Comment 10 claire robinson 2015-11-10 18:37:38 CET 
Created attachment 7193 [details]
testpy2.py - test script for python 2

$ python testpy2.py  
<?xml version="1.0" encoding="iso-8859-1"?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
...etc
Comment 11 claire robinson 2015-11-10 18:38:23 CET 
Created attachment 7194 [details]
testpy3.py - test script for python 3

$ python3 testpy3.py 
<?xml version="1.0" encoding="iso-8859-1"?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
...etc
Comment 12 claire robinson 2015-11-10 18:38:51 CET 
Testing complete mga5 64, as above.

Whiteboard: MGA5-32-OK => MGA5-32-OK mga5-64-ok

claire robinson 2015-11-10 18:39:05 CET

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Dave Hodgins 2015-11-10 21:02:10 CET

CC: (none) => davidwhodgins
Whiteboard: MGA5-32-OK mga5-64-ok => MGA5-32-OK mga5-64-ok advisory

Comment 13 Mageia Robot 2015-11-10 22:27:32 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0440.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED