Bug 26858

Summary: curl new security issues CVE-2020-8169 and CVE-2020-8177
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, mageia, shlomif, sysadmin-bugs, tarazed25
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: curl-7.66.0-1.mga7.src.rpm CVE:
Status comment:

Description David Walser 2020-06-24 23:02:43 CEST 
cURL has issued advisories today (June 24):
https://curl.haxx.se/docs/CVE-2020-8169.html
https://curl.haxx.se/docs/CVE-2020-8177.html

The issues are fixed upsteram in 7.71.0:
https://curl.haxx.se/changes.html
Comment 1 David Walser 2020-06-26 14:53:35 CEST 
Advisory:
========================

Updated curl packages fix security vulnerabilities:

libcurl can be tricked to prepend a part of the password to the host name
before it resolves it, potentially leaking the partial password over the
network and to the DNS server(s) (CVE-2020-8169).

curl can be tricked by a malicious server to overwrite a local file when using
-J (--remote-header-name) and -i (--include) in the same command line
(CVE-2020-8177).

The curl package has been updated to version 7.71.0, fixing these issues and
other bugs.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8169
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8177
https://curl.haxx.se/docs/CVE-2020-8169.html
https://curl.haxx.se/docs/CVE-2020-8177.html
https://curl.haxx.se/changes.html
========================

Updated packages in core/updates_testing:
========================
curl-7.71.0-1.mga7
libcurl4-7.71.0-1.mga7
libcurl-devel-7.71.0-1.mga7
curl-examples-7.71.0-1.mga7

from curl-7.71.0-1.mga7.src.rpm

CC: (none) => shlomif
Assignee: shlomif => qa-bugs

Comment 2 Len Lawrence 2020-06-28 18:17:42 CEST 
mga7, x86_64

Looked at the links given without finding any useful reproducers so went straight for the updates.

Tried the simplest possible commands to test this.  One would need a list of target sites to test all of the options in any meaningful way.

$ curl --output shadow.jpg https://apod.nasa.gov/apod/image/2006/EuropaJupiter_Voyager_2792.jpg
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  766k  100  766k    0     0   268k      0  0:00:02  0:00:02 --:--:--  268k

Viewed shadow.jpg with eom.

Retrieved decoded METAR data for three airports:
$ curl ftp://tgftp.nws.noaa.gov/data/observations/metar/decoded/{EGPH,LFBL,KSAN}.TXT
Edinburgh Airport, United Kingdom (EGPH) 55-57N 003-21W 0M
Jun 28, 2020 - 11:50 AM EDT / 2020.06.28 1550 UTC
Wind: from the WSW (240 degrees) at 16 MPH (14 KT):0
[...]
Limoges, France (LFBL) 45-52N 001-11E 402M
Jun 28, 2020 - 12:00 PM EDT / 2020.06.28 1600 UTC
Wind: from the W (260 degrees) at 6 MPH (5 KT) (direction variable):0
Visibility: greater than 7 mile(s):0
Sky conditions: overcast
[...]
SAN DIEGO INTERNATIONAL \LINDBERGH FLD, CA, United States (KSAN) 32-44N 117-11W 12M
Jun 28, 2020 - 11:51 AM EDT / 2020.06.28 1551 UTC
Wind: from the SSW (200 degrees) at 8 MPH (7 KT):0
Visibility: 10 mile(s):0
....

Giving this an OK.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => tarazed25

Comment 3 David Walser 2020-06-28 18:21:58 CEST 
Make sure you test something using libcurl since it was upgraded.
Comment 4 Len Lawrence 2020-06-29 09:16:07 CEST 
@David.  Thanks for the reminder - asleep on the job again :-(

Quite a long list - counted 223 packages including
apache
cargo
clamav
enigma
feh
kodi
mediatomb
uget
weechat

$ strace -o trace cargo run hello_world 
   Compiling hello_world v0.1.0 (/home/lcl/dev/rust/projects/hello_world)
    Finished dev [unoptimized + debuginfo] target(s) in 0.23s
     Running `target/debug/hello_world hello_world`
Hello World
I'm a Rustacean!
$ grep curl trace
openat(AT_FDCWD, "/lib64/libcurl.so.4", O_RDONLY|O_CLOEXEC) = 3
read(3, "         /usr/lib64/libcurl.so.4"..., 1024) = 1024

That is not a satisfactory test though because there were probably no internet transactions.

$ strace -o trace.sqtoy cargo build
    Updating crates.io index
   Compiling libc v0.2.71
   Compiling rand_core v0.4.2
.....
   Compiling gfx v0.16.3
   Compiling gfx_window_glutin v0.16.0
   Compiling sqtoy v0.1.0 (/home/lcl/dev/rust/sqtoy)

Compilation looked successful although the build failed on a source code error.
$ grep curl trace.sqtoy
openat(AT_FDCWD, "/lib64/libcurl.so.4", O_RDONLY|O_CLOEXEC) = 3
read(3, "         /usr/lib64/libcurl.so.4"..., 1024) = 1024

Not happy about this either because it is not clear if the modules were already "in house" or downloaded as needed.

Tried weechat - new to me - but could not figure out what was needed to join #mageia-qa - got as far as freenod.
$ grep curl trace.weechat
openat(AT_FDCWD, "/lib64/libcurl.so.4", O_RDONLY|O_CLOEXEC) = 3

No reads there.

Installed feh and:
$ strace -o trace.feh feh https://apod.nasa.gov/apod/image/2006/SkyReflections_Godward_2000.jpg

That displayed the APOD immediately.
$ grep curl trace.feh
openat(AT_FDCWD, "/lib64/libcurl.so.4", O_RDONLY|O_CLOEXEC) = 3

Going to take that as a good result.
Comment 5 Thomas Andrews 2020-06-30 15:40:33 CEST 
Validating. Advisory in Comment 1.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Nicolas Lécureuil 2020-07-05 21:11:11 CEST

Keywords: (none) => advisory
CC: (none) => mageia

Comment 6 Mageia Robot 2020-07-05 21:49:38 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0282.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 7 David Walser 2021-05-27 23:50:45 CEST 
Debian has issued an advisory for this on March 30:
https://www.debian.org/security/2021/dsa-4881