Bug 19301

Summary: curl: Incorrect reuse of client certificates CVE-2016-7141
Product: Mageia Reporter: Philippe Makowski <makowski.mageia>
Component: SecurityAssignee: Mageia Bug Squad <bugsquad>
Status: RESOLVED INVALID QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: marja11
Version: Cauldron   
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/700112/
Whiteboard: MGA5TOO
Source RPM: curl-7.50.1-2.mga6 CVE:
Status comment:

Description Philippe Makowski 2016-09-07 14:04:11 CEST 
(https://curl.haxx.se/docs/adv_20160907.html)

VULNERABILITY
-------------

libcurl built on top of NSS (Network Security Services) incorrectly re-used
client certificates if a certificate from file was used for one TLS connection
but no certificate set for a subsequent TLS connection.

While the symptoms are similar to CVE-2016-5420 (Re-using connection with wrong
client cert), this vulnerability was caused by an implementation detail of the
NSS backend in libcurl, which is orthogonal to the cause of CVE-2016-5420.

We are not aware of any exploit of this flaw.

INFO
----

This flaw also affects the curl command line tool.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2016-7141 to this issue.

AFFECTED VERSIONS
-----------------

This flaw is present in curl and libcurl only if they are built with the
support for NSS and only if the libnsspem.so library is available at run-time.

- Affected versions: libcurl 7.19.6 to and including 7.50.1
- Not affected versions: libcurl >= 7.50.2

libcurl is used by many applications, but not always advertised as such!

THE SOLUTION
------------

A fix for this flaw is included in libcurl 7.50.2 via
[commit `curl-7_50_2~32`](https://github.com/curl/curl/commit/curl-7_50_2~32).
For older releases of libcurl there is a
[patch for CVE-2016-7141](https://curl.haxx.se/CVE-2016-7141.patch).

RECOMMENDATIONS
---------------

We suggest you take one of the following actions immediately, in order of
preference:

 A - Apply the patch on the source code of libcurl and rebuild.

 B - Configure libcurl to use a different TLS backend and rebuild.

 C - Use certificates from NSS database instead of loading them from files.

TIME LINE
---------

This flaw was reported by Red Hat on August 22nd.  The patch fixing the flaw
was published on September 5th.  CVE-2016-7141 was assigned to this flaw on
September 6th.  This advisory was published on September 7th.
Philippe Makowski 2016-09-07 14:04:59 CEST

Whiteboard: (none) => MGA5TOO

Comment 1 David Walser 2016-09-07 14:48:47 CEST 
Our curl is built against openssl, not nss.

Status: NEW => RESOLVED
Resolution: (none) => INVALID

Comment 2 Marja Van Waes 2016-09-07 15:45:58 CEST 
@ philippem

Thanks a lot for having stuck your neck out and filed this bug report.

Please do continue to file security bugs that might affect us.

You rock, because you try to the best of your knowledge :-)


And what do we, all others who should learn to file security bug reports, do?
I hope we'll follow your example!

CC: (none) => marja11

David Walser 2016-09-09 16:40:19 CEST

URL: https://curl.haxx.se/docs/adv_20160907.html => http://lwn.net/Vulnerabilities/700112/