Bug 12476 - curl new security issues CVE-2014-0015, CVE-2014-0138, and CVE-2014-0139
Summary: curl new security issues CVE-2014-0015, CVE-2014-0138, and CVE-2014-0139
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/583667/
Whiteboard: MGA3TOO has_procedure advisory mga3-3...
Keywords: validated_update
: 12577 (view as bug list)
Depends on: 12608
Blocks:
  Show dependency treegraph
 
Reported: 2014-01-29 21:29 CET by David Walser
Modified: 2014-04-03 02:57 CEST (History)
6 users (show)

See Also:
Source RPM: curl-7.34.0-1.mga4.src.rpm
CVE:
Status comment:


Attachments
cli output of curl install with the timeouts right after it is installed (54.05 KB, text/plain)
2014-02-07 22:32 CET, Marja Van Waes
Details

Description David Walser 2014-01-29 21:29:43 CET
Upstream has issued an advisory today (January 29):
http://curl.haxx.se/docs/adv_20140129.html

The issue is fixed in 7.35.0, and there is a patch available.

Reproducible: 

Steps to Reproduce:
David Walser 2014-01-29 21:29:55 CET

Whiteboard: (none) => MGA4TOO, MGA3TOO

Comment 1 David Walser 2014-01-31 19:29:31 CET
Debian has issued an advisory for this today (January 31):
http://www.debian.org/security/2014/dsa-2849

URL: (none) => http://lwn.net/Vulnerabilities/583667/

Comment 2 David Walser 2014-02-04 19:41:30 CET
Updated (in Cauldron) and patched packages (Mageia 3/4) uploaded by Funda.

Advisory:
========================

Updated curl packages fix security vulnerabilities:

Paras Sethia discovered that libcurl, a client-side URL transfer library,
would sometimes mix up multiple HTTP and HTTPS connections with NTLM
authentication to the same server, sending requests for one user over the
connection authenticated as a different user (CVE-2014-0015).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0015
http://curl.haxx.se/docs/adv_20140129.html
http://www.debian.org/security/2014/dsa-2849
========================

Updated packages in core/updates_testing:
========================
curl-7.28.1-6.3.mga3
libcurl4-7.28.1-6.3.mga3
libcurl-devel-7.28.1-6.3.mga3
curl-examples-7.28.1-6.3.mga3
curl-7.34.0-1.1.mga4
libcurl4-7.34.0-1.1.mga4
libcurl-devel-7.34.0-1.1.mga4
curl-examples-7.34.0-1.1.mga4

from SRPMS:
curl-7.28.1-6.3.mga3.src.rpm
curl-7.34.0-1.1.mga4.src.rpm

CC: (none) => fundawang
Version: Cauldron => 4
Assignee: bugsquad => qa-bugs
Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO

Comment 3 David Walser 2014-02-04 19:42:31 CET
*** Bug 12577 has been marked as a duplicate of this bug. ***
Comment 4 Marja Van Waes 2014-02-06 10:44:10 CET
both in cauldron and in Mageia 4 I have many errors now when trying to install packages and updates.

I don't have a clue whether it is related to the new curl package, in Mga 4 I have

[u@localhost Desktop]$ rpm -qa | grep curl
libcurl4-7.34.0-1.1.mga4
curl-7.34.0-1.1.mga4


In Mageia 4 this first occurred right after I had installed the new curl
https://bugs.mageia.org/show_bug.cgi?id=12608

don't have time to downgrade the curl packages now, sorry

CC: (none) => marja11

Comment 5 Marja Van Waes 2014-02-06 16:33:00 CET
2014:02:06:13:21 < neoclust> marja: i confirm that reverting curl fixes my urpmi pbs

Don't know whether he meant 4 or cauldron, but I just tried the same in 4.

Downgrading to the 7.34.0.1.mga4 version of the packages solves the problem here, too

For me and on Mga4, this is for i586

@ Funda

Can you please look into this again?
Samuel Verschelde 2014-02-07 17:33:04 CET

CC: (none) => stormi
Whiteboard: MGA3TOO => MGA3TOO feedback

David Walser 2014-02-07 20:54:59 CET

Depends on: (none) => 12608

Comment 6 Marja Van Waes 2014-02-07 22:32:14 CET
Created attachment 4960 [details]
cli output of curl install with the timeouts right after it is installed


Attaching my cli output from 2½ days ago, because Luigi12 said on IRC the timeouts issue shouldn't affect Mga4.

To me it looks very much the same as what I saw in cauldron, except that this is mga4 curl and not mga5.
Comment 7 David Walser 2014-02-10 21:36:14 CET
Dan, do you have any insight on this?

CC: (none) => dan

Comment 8 Samuel Verschelde 2014-02-24 19:22:53 CET
I got hit, don't know if its a client or server issue.

retrieving rpm files from medium "Core Updates Testing"...
not using metalink since requested downloader does not handle it
retrieving ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/4/x86_64/media/core/updates_testing kernel-desktop-latest-3.12.13-2.mga4.x86_64.rpm kernel-desktop-devel-latest-3.12.13-2.mga4.x86_64.rpm kernel-desktop-devel-3.12.13-2.mga4-1-1.mga4.x86_64.rpm kernel-desktop-3.12.13-2.mga4-1-1.mga4.x86_64.rpm virtualbox-kernel-3.12.13-desktop-2.mga4-4.3.6-11.mga4.x86_64.rpm virtualbox-kernel-desktop-latest-4.3.6-11.mga4.x86_64.rpm
'/usr/bin/curl' '-q' '--location-trusted' '-R' '-f' '--disable-epsv' '--connect-timeout' '60' '--anyauth' '--stderr' '-' '-O' 'ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/4/x86_64/media/core/updates_testing/kernel-desktop-latest-3.12.13-2.mga4.x86_64.rpm' '-O' 'ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/4/x86_64/media/core/updates_testing/kernel-desktop-devel-latest-3.12.13-2.mga4.x86_64.rpm' '-O' 'ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/4/x86_64/media/core/updates_testing/kernel-desktop-devel-3.12.13-2.mga4-1-1.mga4.x86_64.rpm' '-O' 'ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/4/x86_64/media/core/updates_testing/kernel-desktop-3.12.13-2.mga4-1-1.mga4.x86_64.rpm' '-O' 'ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/4/x86_64/media/core/updates_testing/virtualbox-kernel-3.12.13-desktop-2.mga4-4.3.6-11.mga4.x86_64.rpm' '-O' 'ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/4/x86_64/media/core/updates_testing/virtualbox-kernel-desktop-latest-4.3.6-11.mga4.x86_64.rpm'
    ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/4/x86_64/media/core/updates_testing/kernel-desktop-latest-3.12.13-2.mga4.x86_64.rpm
    ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/4/x86_64/media/core/updates_testing/kernel-desktop-devel-latest-3.12.13-2.mga4.x86_64.rpm                                                       
    ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/4/x86_64/media/core/updates_testing/kernel-desktop-devel-3.12.13-2.mga4-1-1.mga4.x86_64.rpm                                                     
    ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/4/x86_64/media/core/updates_testing/kernel-desktop-3.12.13-2.mga4-1-1.mga4.x86_64.rpm                                                           
    ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/4/x86_64/media/core/updates_testing/virtualbox-kernel-3.12.13-desktop-2.mga4-4.3.6-11.mga4.x86_64.rpm                                           
...retrieving failed: curl: (67) Access denied: 530
    ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/4/x86_64/media/core/updates_testing/virtualbox-kernel-desktop-latest-4.3.6-11.mga4.x86_64.rpm                                                   
...retrieving failed: curl: (67) Access denied: 530
                                                                                                                                                                                                                  
...retrieving failed: curl: (67) Access denied: 530
error: curl failed: exited with 67

...retrieving failed: curl failed: exited with 67

Installation failed, some files are missing:
    ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/4/x86_64/media/core/updates_testing/kernel-desktop-devel-3.12.13-2.mga4-1-1.mga4.x86_64.rpm
    ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/4/x86_64/media/core/updates_testing/kernel-desktop-latest-3.12.13-2.mga4.x86_64.rpm
    ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/4/x86_64/media/core/updates_testing/kernel-desktop-devel-latest-3.12.13-2.mga4.x86_64.rpm
    ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/4/x86_64/media/core/updates_testing/virtualbox-kernel-3.12.13-desktop-2.mga4-4.3.6-11.mga4.x86_64.rpm
    ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/4/x86_64/media/core/updates_testing/virtualbox-kernel-desktop-latest-4.3.6-11.mga4.x86_64.rpm
    ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/4/x86_64/media/core/updates_testing/kernel-desktop-3.12.13-2.mga4-1-1.mga4.x86_64.rpm
You may need to update your urpmi database.

Try to continue anyway? (y/N)
Comment 9 Samuel Verschelde 2014-02-24 19:31:23 CET
After reproducing 4 times, I downgraded curl and lib64curl4 to the release version in mga4, and download succeeded.
Comment 10 David Walser 2014-02-24 19:33:39 CET
See Bug 12608, Dan Fandrich is a Mageia packager and upstream CURL developer and confirmed the problem.  He didn't post a link to a report upstream, but hopefully it's being worked on there.
Comment 11 Dan Fandrich 2014-02-24 21:41:58 CET
There were a couple of related issues found with this patch, but I believe the current git HEAD now works. I'll try to extract the set of commits that can be back-ported.
Comment 12 Dan Fandrich 2014-03-23 23:10:37 CET
There will be another upstream curl release on Wednesday that will fix this issue as well as a few other high-priority ones.
Comment 13 David Walser 2014-03-23 23:25:51 CET
(In reply to Dan Fandrich from comment #12)
> There will be another upstream curl release on Wednesday that will fix this
> issue as well as a few other high-priority ones.

Thanks.  Will we be able to get a patch so that we can go forward with the security update for Mageia 3 and Mageia 4?
Comment 14 Dan Fandrich 2014-03-24 22:40:45 CET
Sorry about the delay; I'm having trouble finding the sustained time to do this kind of thing lately. I've updated the curl-7.35.0-cve-2014-0015.patch file in the mga4 branch (only) with an update that fixes the issue reported in comment #3 (a.k.a. bug #12608). That should now be ready to go to testing. However, I suggest waiting until 7.36.0 is released Wednesday before pushing this to updates, as that release will include another security fix that we'll want to include.
Comment 15 David Walser 2014-03-24 22:47:36 CET
Thanks Dan.  The updated parts of the patch don't apply cleanly in the Mageia 3 branch.  What can we do there?
Comment 16 Dan Fandrich 2014-03-25 00:30:17 CET
I've rebased the patch against 7.28.1 and checked it into the mga3 branch. I'm not nearly as confident in this patch since a lot has changed since 7.28.1 and 7.35.0, but I'll try to verify it more in a few days.
Comment 17 David Walser 2014-03-26 15:01:36 CET
Upstream has issued two more advisories today (March 26):
http://curl.haxx.se/docs/adv_20140326A.html
http://curl.haxx.se/docs/adv_20140326B.html

Patches checked into Mageia 3 and Mageia 4 SVN.

There were actually 2 additional other upstream advisories today, but they only affect Mac OS X and Windows.

All of these issues are fixed upstream in 7.36.0, which I uploaded to Cauldron.

Patched packages uploaded for Mageia 3 and Mageia 4.

Advisory:
========================

Updated curl packages fix security vulnerabilities:

Paras Sethia discovered that libcurl would sometimes mix up multiple HTTP
and HTTPS connections with NTLM authentication to the same server, sending
requests for one user over the connection authenticated as a different user
(CVE-2014-0015).

libcurl can in some circumstances re-use the wrong connection when asked to
do transfers using other protocols than HTTP and FTP, causing a transfer
that was initiated by an application to wrongfully re-use an existing
connection to the same server that was authenticated using different
credentials (CVE-2014-0138).

libcurl incorrectly validates wildcard SSL certificates containing literal
IP addresses, so under certain conditions, it would allow and use a wildcard
match specified in the CN field, allowing a malicious server to participate
in a MITM attack or just fool users into believing that it is a legitimate
site (CVE-2014-0139).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0015
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0138
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0139
http://curl.haxx.se/docs/adv_20140129.html
http://curl.haxx.se/docs/adv_20140326A.html
http://curl.haxx.se/docs/adv_20140326B.html
http://www.debian.org/security/2014/dsa-2849
========================

Updated packages in core/updates_testing:
========================
curl-7.28.1-6.4.mga3
libcurl4-7.28.1-6.4.mga3
libcurl-devel-7.28.1-6.4.mga3
curl-examples-7.28.1-6.4.mga3
curl-7.34.0-1.2.mga4
libcurl4-7.34.0-1.2.mga4
libcurl-devel-7.34.0-1.2.mga4
curl-examples-7.34.0-1.2.mga4

from SRPMS:
curl-7.28.1-6.4.mga3.src.rpm
curl-7.34.0-1.2.mga4.src.rpm

Summary: curl new security issue CVE-2014-0015 => curl new security issues CVE-2014-0015, CVE-2014-0138, and CVE-2014-0139
Whiteboard: MGA3TOO feedback => MGA3TOO

Comment 18 Marja Van Waes 2014-03-28 22:23:51 CET
curl-7.34.0-1.2.mga4 and
libcurl4-7.34.0-1.2.mga4
work as expected here on a 32bits system, I did not try any PoCs for the solved security issues, if they exist.
Comment 19 Marja Van Waes 2014-03-30 10:55:58 CEST
lib64curl4-7.34.0-1.2.mga4
curl-7.34.0-1.2.mga4 work fine on a 64bits system, too.

About the testing procedures from https://bugs.mageia.org/show_bug.cgi?id=4307#c11
(they should be used, I suppose?)
the first one:
$ curl pop3://<login>:<password>@<mailhost>/1
works on an xs4all mailbox, but not on a mailbox I prefer to test with (I get "connection refused"), not even if I escape the "@" in my user name (The user name there is exactly that e-mail address)
Comment 20 Dan Fandrich 2014-03-30 11:12:12 CEST
"Connection refused" means that either the host, port or protocol is wrong for that account. Try pop3s: to use an encrypted port, or imap: or imaps: in place of pop3.
Comment 21 Marja Van Waes 2014-03-30 12:47:07 CEST
(In reply to Dan Fandrich from comment #20)
> "Connection refused" means that either the host, port or protocol is wrong
> for that account. Try pop3s: to use an encrypted port, or imap: or imaps: in
> place of pop3.

Well, it was the "@" in the username after all, when I replaced it with "%40" everything worked well (both for pop3 and for pop3s)

For imap and imaps: I haven't yet found out how to read a mail, but I suppose getting the correct list of directories (like INBOX, TRASH, etc) is good enough as test?

I intend to do the other tests from https://bugs.mageia.org/show_bug.cgi?id=4307#c11 later (I'm now doing them in Mga4 on A 64bits system), I'm a bit short on time
Comment 22 Marja Van Waes 2014-03-30 15:56:18 CEST
all the other tests from https://bugs.mageia.org/show_bug.cgi?id=4307#c11 done on Mga4 64bits, too, now, and all are fine.

Not adding mga4-64-ok, though, in case I missed one or more POCs or other things that should have been tested, too
Comment 23 Marja Van Waes 2014-03-30 18:39:14 CEST
(In reply to Marja van Waes from comment #22)
> all the other tests from https://bugs.mageia.org/show_bug.cgi?id=4307#c11
> done on Mga4 64bits, too, now, and all are fine.
> 
> Not adding mga4-64-ok, though, in case I missed one or more POCs or other
> things that should have been tested, too

All those tests done for mga4 32 bits, too. Everything works just as well as for 64bits.

I can't test Mageia 3, sorry.
Comment 24 claire robinson 2014-03-31 13:28:48 CEST
Procedure: https://bugs.mageia.org/show_bug.cgi?id=4307#c11

Thanks Marja, adding the OK's

Whiteboard: MGA3TOO => MGA3TOO has_procedure mga4-32-ok mga4-64-ok

Comment 25 David Walser 2014-03-31 18:34:09 CEST
LWN references for CVE-2014-0138 and CVE-2014-0139:
http://lwn.net/Vulnerabilities/592583/
http://lwn.net/Vulnerabilities/592586/
David Walser 2014-03-31 22:31:25 CEST

Severity: normal => major

Comment 26 claire robinson 2014-04-01 16:25:14 CEST
Testing complete mga3-64

Whiteboard: MGA3TOO has_procedure mga4-32-ok mga4-64-ok => MGA3TOO has_procedure mga3-64-ok mga4-32-ok mga4-64-ok

Comment 27 claire robinson 2014-04-01 16:42:09 CEST
Testing complete mga3 32

Whiteboard: MGA3TOO has_procedure mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok

Comment 28 claire robinson 2014-04-01 16:53:23 CEST
Advisory uploaded. Validating

Could sysadmin please push to 3 & 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
CC: (none) => sysadmin-bugs

Comment 29 Damien Lallement 2014-04-03 02:57:12 CEST
http://advisories.mageia.org/MGASA-2014-0153.html

Status: NEW => RESOLVED
CC: (none) => mageia
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.