Bug 32362

Again the CVE is worth reading.

Assigning to Stig who has done the most recent version updates for curl.

Assignee: bugsquad => smelror
Status comment: (none) => will be fixed in version 8.4.0, on October 11

I've bumped Cauldron to 8.4.0 & will work on mga8/9 now.

Status: NEW => ASSIGNED
Assignee: smelror => dan
CC: (none) => dan

Versions for mga8/9 are now available in updates_testing:

mga9
x86_64 rpm list
curl-7.88.1-3.2.mga9.x86_64.rpm
curl-examples-7.88.1-3.2.mga9.noarch.rpm
lib64curl4-7.88.1-3.2.mga9.x86_64.rpm
lib64curl-devel-7.88.1-3.2.mga9.x86_64.rpm

i586 rpm list
curl-7.88.1-3.2.mga9.i586.rpm
curl-examples-7.88.1-3.2.mga9.noarch.rpm
libcurl4-7.88.1-3.2.mga9.i586.rpm
libcurl-devel-7.88.1-3.2.mga9.i586.rpm

srpm list
curl-7.88.1-3.2.mga9.src.rpm


mga8
x86_64 rpm list
curl-7.74.0-1.14.mga8.x86_64.rpm
curl-examples-7.74.0-1.14.mga8.noarch.rpm
lib64curl4-7.74.0-1.14.mga8.x86_64.rpm
lib64curl-devel-7.74.0-1.14.mga8.x86_64.rpm

i586 rpm list
curl-7.74.0-1.14.mga8.i586.rpm
curl-examples-7.74.0-1.14.mga8.noarch.rpm
libcurl4-7.74.0-1.14.mga8.i586.rpm
libcurl-devel-7.74.0-1.14.mga8.i586.rpm

srpm list
curl-7.74.0-1.14.mga8.src.rpm

Regression testing procedures:

The patches touch cookie handling and SOCKS5 handling. A simple SOCKS5 regression test can be run this way, by using tor as a SOCKS5 proxy server:

1. sudo urpmi tor
2. sudo systemctl start tor
3. sleep 120  # give tor a few minutes to warm up
4. curl -x socks5h://localhost:9050 https://ident.me
5. # that was your IP address via tor; compare that to your address w/o tor,
6. curl https://ident.me
7. sudo systemctl stop tor

The two IP addresses will be different if curl went through the Tor SOCKS5 proxy as expected.

As for cookie test, there is a PoC for the flaw in the Hacker One report at https://hackerone.com/reports/2148242 with instructions on testing it, but it requires compiling and running the PoC. A simpler regression test for basic cookie support in curl is as follows:

1. rm -f /tmp/cookiejar /tmp/out.html
2. curl -d name=yummy -d value=chocolate -d path=/ -b /tmp/cookiejar -c /tmp/cookiejar https://setcookie.net/ -o /tmp/out.html
3. curl -d name=yummy -d value=chocolate -d path=/ -b /tmp/cookiejar -c /tmp/cookiejar https://setcookie.net/ -o /tmp/out.html # exactly the same
4. grep grep ' = ' /tmp/out.html

The grep command should show the line "<li><code>yummy = chocolate</code></li>" which indicates that a cookie was set by the server in step 2, then returned bck to the server by curl in step 3 3.

Whiteboard: MGA9TOO, MGA8TOO => MGA9TOO, MGA8TOO, has_procedure
Assignee: dan => qa-bugs

Actually, replacing step 3 in the cookie test above with this:

3. curl -b /tmp/cookiejar -c /tmp/cookiejar https://setcookie.net/ -o /tmp/out.html

provides a slightly more robust test, but it doesn't make a big difference.

Proposed security advisory text:

========================
Updated the curl package to fix two security vulnerabilities:

curl/libcurl is vulnerable to a heap buffer overflow in its SOCKS5 support that could be exploited by a remote web server when curl is configured to use a SOCKS5 proxy with remote hostname resolution.

libcurl is vulnerable to a cookie injection attack where a local attacker can inject cookies into certain vulnerable applications using libcurl.

References:
https://curl.se/docs/CVE-2023-38545.html
https://curl.se/docs/CVE-2023-38546.html
https://hackerone.com/reports/2187833
https://hackerone.com/reports/2148242
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38545
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38546

Updated packages in core/updates:
(see above)

CVE: (none) => CVE-2023-38545, CVE-2023-38546
Priority: Normal => High

Advisory from Comment 6 with srpms from comment 3 uploaded.
Please remove the "advisory" keyword if the advisory needs to be changed.

CC: (none) => marja11
Keywords: (none) => advisory

curl-8.4.0-1.mga10. has landed in cauldron

Whiteboard: MGA9TOO, MGA8TOO, has_procedure => MGA8TOO, has_procedure
Version: Cauldron => 9

Installed and tested with out issues.

System: Mageia 8, x86_64, Plasma DE, AMD Ryzen 5 5600G with Radeon Graphics.

$ uname -a
Linux jupiter 6.1.45-desktop-1.mga8 #1 SMP PREEMPT_DYNAMIC Fri Aug 11 22:01:56 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux


Run tests before and after update no issues found in both.


==== BEFORE UPDATE ====

Testing curl-7.74.0-1.13.mga8

$ rpm -qa | grep curl.*7.74 | sort
curl-7.74.0-1.13.mga8
lib64curl4-7.74.0-1.13.mga8
lib64curl-devel-7.74.0-1.13.mga8
libcurl4-7.74.0-1.13.mga8

### SOCKS5 Proxy test
$ curl -x socks5h://localhost:9050 https://ident.me ; echo
199.249.230.83
$ curl https://ident.me ; echo
79.169.7.129
### SOCKS5 Proxy test PASSED

### Cookie test
$ rm -f /tmp/cookiejar
$ curl --silent -d name=yummy -d value=chocolate -d path=/ -b /tmp/cookiejar -c /tmp/cookiejar https://setcookie.net/ -o /tmp/out.html
$ grep yummy /tmp/out.html
<p>Received no cookies.</p><p class="success">Sent header: <code>Set-Cookie: yummy=chocolate; path=/</code></p>      </article>
            <input name="name" id="name" required pattern="[A-Za-z0-9_\-]+" value="yummy" />
$ curl --silent -b /tmp/cookiejar -c /tmp/cookiejar https://setcookie.net/ -o /tmp/out.html
$ grep yummy /tmp/out.html 
<li><code>yummy = chocolate</code></li>
### Cookie test PASSED


==== AFTER UPDATE ====

$ rpm -qa | grep curl.*7.74 | sort
curl-7.74.0-1.14.mga8
lib64curl4-7.74.0-1.14.mga8
lib64curl-devel-7.74.0-1.14.mga8
libcurl4-7.74.0-1.14.mga8

### Tor SOCKS5 Proxy test
$ curl -x socks5h://localhost:9050 https://ident.me ; echo
185.220.102.252
$ curl https://ident.me ; echo
79.169.7.129
### Tor SOCKS5 Proxy test PASSED

### Cookie test
$ rm -f /tmp/cookiejar
$ curl --silent -d name=yummy -d value=chocolate -d path=/ -b /tmp/cookiejar -c /tmp/cookiejar https://setcookie.net/ -o /tmp/out.html
$ grep yummy /tmp/out.html
<p>Received no cookies.</p><p class="success">Sent header: <code>Set-Cookie: yummy=chocolate; path=/</code></p>      </article>
            <input name="name" id="name" required pattern="[A-Za-z0-9_\-]+" value="yummy" />
$ curl --silent -b /tmp/cookiejar -c /tmp/cookiejar https://setcookie.net/ -o /tmp/out.html
$ grep yummy /tmp/out.html
<li><code>yummy = chocolate</code></li>
### Cookie test PASSED

MGA9-64 Xfce on Acer Aspire 5253
No installation issues.
Trying to follow Comment 4 above 
$ curl -x socks5h://localhost:9050 https://ident.me
192.42.116.187
$ curl https://ident.me
213.219.163.134
Looks OK.
$ rm -f /tmp/cookiejar /tmp/out.html
$ curl -d name=yummy -d value=chocolate -d path=/ -b /tmp/cookiejar -c /tmp/cookiejar https://setcookie.net/ -o /tmp/out.html
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  4252  100  4219  100    33   8931     69 --:--:-- --:--:-- --:--:--  9008

$ curl -d name=yummy -d value=chocolate -d path=/ -b /tmp/cookiejar -c /tmp/cookiejar https://setcookie.net/ -o /tmp/out.html
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  4301  100  4268  100    33  10970     84 --:--:-- --:--:-- --:--:-- 11085

$ grep ' = ' /tmp/out.html
<li><code>yummy = chocolate</code></li>
OK according to Comment 4

Whiteboard: MGA8TOO, has_procedure => MGA8TOO, has_procedure, MGA8-64-OK, MGA9-64-OK
CC: (none) => herman.viaene

Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0288.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED