Bug 19360

Summary: curl new security issue CVE-2016-7167
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, herman.viaene, lewyssmith, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/700965/
Whiteboard: has_procedure MGA5-32-OK MGA5-64-OK advisory
Source RPM: curl-7.40.0-3.4.mga5.src.rpm CVE:
Status comment:

Description David Walser 2016-09-14 21:39:52 CEST 
Upstream has issued an advisory today (September 14):
https://curl.haxx.se/docs/adv_20160914.html

Updated package uploaded for Cauldron.

Patched package uploaded for Mageia 5.

Advisory:
========================

Updated curl packages fix security vulnerability:

The four libcurl functions curl_escape(), curl_easy_escape(), curl_unescape and
curl_easy_unescape perform string URL percent escaping and unescaping. They
accept custom string length inputs in signed integer arguments. The provided
string length arguments were not properly checked and due to arithmetic in the
functions, passing in the length 0xffffffff (2^32-1 or UINT_MAX or even just -1)
would end up causing an allocation of zero bytes of heap memory that curl would
attempt to write gigabytes of data into (CVE-2016-7167).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7167
https://curl.haxx.se/docs/adv_20160914.html
========================

Updated packages in core/updates_testing:
========================
curl-7.40.0-3.5.mga5
libcurl4-7.40.0-3.5.mga5
libcurl-devel-7.40.0-3.5.mga5
curl-examples-7.40.0-3.5.mga5

from curl-7.40.0-3.5.mga5.src.rpm
Comment 1 David Walser 2016-09-14 21:40:34 CEST 
Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=14468#c4

(basic testing is fine since most things are checked during build-time tests)

Whiteboard: (none) => has_procedure

Comment 2 Herman Viaene 2016-09-16 11:28:00 CEST 
MGA5-32 on Acer D620 Xfce
No installation issues.
Did tests as refered above, except IMAP, all OK.

CC: (none) => herman.viaene

Herman Viaene 2016-09-16 11:28:16 CEST

Whiteboard: has_procedure => has_procedure MGA5-32-OK

David Walser 2016-09-16 19:04:22 CEST

URL: (none) => http://lwn.net/Vulnerabilities/700965/

Comment 3 Lewis Smith 2016-09-19 21:29:48 CEST 
Testing Mageia 5 x64.

BEFORE update; ran through the tests (also except IMAP) cited in the Comment 1 link just to make sure it worked.

AFTER update to:
 curl-7.40.0-3.5.mga5
 lib64curl4-7.40.0-3.5.mga5

1)  $ curl pop3://user:password@pop.free.fr/1
output the 1st queued message.

2) $ curl -L https://ixquick.com
output the HTML page.

3) $ curl -l ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/4/i586/media/core/updates/
output the relevant updates directory listing.

4) $ curl -o qarte.rpm ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/4/i586/media/core/updates/qarte-2.2.0-1.mga4.noarch.rpm
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  365k  100  365k    0     0   114k      0  0:00:03  0:00:03 --:--:--  116k
 $ ls -l
 -rw-r--r-- 1 lewis lewis  373896 Med  19 21:26 qarte.rpm
i.e. the specified file was correctly downloaded.

This update is OK. Validated.

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA5-32-OK => has_procedure MGA5-32-OK MGA5-64-OK
CC: (none) => lewyssmith, sysadmin-bugs

Comment 4 Dave Hodgins 2016-09-21 16:43:28 CEST 
Advisory added to svn

CC: (none) => davidwhodgins
Whiteboard: has_procedure MGA5-32-OK MGA5-64-OK => has_procedure MGA5-32-OK MGA5-64-OK advisory

Comment 5 Mageia Robot 2016-09-21 22:39:33 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0316.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED