Bug 31031

Summary: curl new security issue CVE-2022-32221
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, davidwhodgins, nicolas.salguero, smelror, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: curl-7.74.0-1.8.mga8.src.rpm CVE:
Status comment:

Description David Walser 2022-10-26 15:25:33 CEST 
cURL has issued an advisory today (October 26):
https://curl.se/docs/CVE-2022-32221.html

The issue is fixed upstream in 7.86.0.

The other advisories today don't affect Mageia 8 (already fixed in Cauldron):
https://curl.se/docs/CVE-2022-35260.html
https://curl.se/docs/CVE-2022-42915.html
https://curl.se/docs/CVE-2022-42916.html
Comment 1 David Walser 2022-10-26 19:13:33 CEST 
openSUSE has issued an advisory for this today (October 26):
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/734SGUJFGXNBARBMJSAYGM223PFRXDII/
Comment 2 Lewis Smith 2022-10-27 08:45:00 CEST 
Update to version 7.86.0 already in Cauldron; but this is for M8.
Assigning to Stig, CC'ing NicolasS.

Assignee: bugsquad => smelror
CC: (none) => nicolas.salguero

Comment 3 Stig-Ørjan Smelror 2022-10-27 11:11:51 CEST 
Advisory
========
A security issue was discovered in libcurl and has been patched by the developers.

CVE-2022-32221: When doing HTTP(S) transfers, libcurl might erroneously use the read callback (CURLOPT_READFUNCTION) to ask for data to send, even when the CURLOPT_POSTFIELDS option has been set, if the same handle previously was used to issue a PUT request which used that callback.


References
==========
https://curl.se/docs/CVE-2022-32221.html


Files
=====

Uploaded to core/updates_testing

curl-7.74.0-1.9.mga8
lib64curl4-7.74.0-1.9.mga8 
curl-examples-7.74.0-1.9.mga8
lib64curl-devel-7.74.0-1.9.mga8

from curl-7.74.0-1.9.mga8.src.rpm

Assignee: smelror => qa-bugs

David Walser 2022-10-27 12:05:59 CEST

CC: (none) => smelror

Comment 4 Thomas Andrews 2022-10-31 13:46:03 CET 
Tested on an HP Probook 6550b, mga8-64 Plasma system. No installation issues.

Curl has had several updates, and usually Herman tests using curl itself. This time, because libcurl is the target of the update, I decided to test with something that uses that. 

"urpmq --whatrequires lib64curl4" gives a long list. Network Manager is on that list, and it just so happens that this laptop uses Network Manager, so that's what I used to test.

After installing the update, I rebooted, just to make sure that NM was using the updated library from the start of the session. Wifi came up normally, and I was able to switch from one band of my network to the other with no problems. Connecting the Ethernet cable, I found that NM automatically connected both that and wifi at the same time. That seems to be not at all unusual, as I have seen it before. I could manipulate the connections as I desired. Finally, I removed the cable, made sure the wifi was connected, and rebooted once more. Wifi came up normally.

Calling this OK, and validating. Advisory in Comment 3.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs
Whiteboard: (none) => MGA8-64-OK

Dave Hodgins 2022-11-01 22:47:05 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 5 Mageia Robot 2022-11-02 00:00:29 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0405.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED