Bug 14088 - curl new security issues CVE-2014-3613 and CVE-2014-3620
Summary: curl new security issues CVE-2014-3613 and CVE-2014-3620
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/611591/
Whiteboard: MGA3TOO has_procedure advisory mga3-3...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-09-10 20:09 CEST by David Walser
Modified: 2014-09-24 18:44 CEST (History)
4 users (show)

See Also:
Source RPM: curl-7.34.0-1.2.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-09-10 20:09:30 CEST
Upstream has issued two advisories today (September 10):
http://curl.haxx.se/docs/adv_20140910A.html
http://curl.haxx.se/docs/adv_20140910B.html

The second only affects the versions in Mageia 4 and Cauldron.

The first affects Mageia 3, Mageia 4, and Cauldron.

The issue is fixed in 7.38.0 (in SVN for Cauldron, awaiting a push) and with patches from upstream (committed in SVN for Mageia 3 and Mageia 4).

Reproducible: 

Steps to Reproduce:
David Walser 2014-09-10 20:09:37 CEST

Whiteboard: (none) => MGA4TOO, MGA3TOO

Comment 1 David Walser 2014-09-10 23:51:38 CEST
Updated package uploaded for Cauldron.

Patched packages uploaded for Mageia 3 and Mageia 4.

Advisory (Mageia 3):
========================

Updated curl packages fix security vulnerabilities:

In cURL before 7.38.0, libcurl can be fooled to both sending cookies to wrong
sites and into allowing arbitrary sites to set cookies for others. For this
problem to trigger, the client application must use the numerical IP address
in the URL to access the site (CVE-2014-3613).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3613
http://curl.haxx.se/docs/adv_20140910A.html
========================

Updated packages in core/updates_testing:
========================
curl-7.28.1-6.5.mga3
libcurl4-7.28.1-6.5.mga3
libcurl-devel-7.28.1-6.5.mga3
curl-examples-7.28.1-6.5.mga3

from curl-7.28.1-6.5.mga3.src.rpm


Advisory (Mageia 4):
========================

Updated curl packages fix security vulnerabilities:

In cURL before 7.38.0, libcurl can be fooled to both sending cookies to wrong
sites and into allowing arbitrary sites to set cookies for others. For this
problem to trigger, the client application must use the numerical IP address
in the URL to access the site (CVE-2014-3613).

In cURL before 7.38.0, libcurl wrongly allows cookies to be set for Top Level
Domains (TLDs), thus making them apply broader than cookies are allowed. This
can allow arbitrary sites to set cookies that then would get sent to a
different and unrelated site or domain (CVE-2014-3620).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3613
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3620
http://curl.haxx.se/docs/adv_20140910A.html
http://curl.haxx.se/docs/adv_20140910B.html
========================

Updated packages in core/updates_testing:
========================
curl-7.34.0-1.3.mga4
libcurl4-7.34.0-1.3.mga4
libcurl-devel-7.34.0-1.3.mga4
curl-examples-7.34.0-1.3.mga4

from curl-7.34.0-1.3.mga4.src.rpm

Version: Cauldron => 4
Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO

Comment 2 David Walser 2014-09-10 23:51:55 CEST
Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=4307#c11

Whiteboard: MGA3TOO => MGA3TOO has_procedure

Comment 3 David Walser 2014-09-11 16:15:44 CEST
Debian has issued an advisory for this on September 10:
https://www.debian.org/security/2014/dsa-3022

URL: (none) => http://lwn.net/Vulnerabilities/611591/

Comment 4 David Walser 2014-09-11 21:24:58 CEST
Oops, forgot to assign to QA.

Assignee: bugsquad => qa-bugs

Comment 5 Samuel Verschelde 2014-09-16 09:17:06 CEST
Testing complete MGA4 64 following procedure linked in comment #2, just had to change the ftp URLs to another mirror and another RPM.

CC: (none) => stormi

Samuel Verschelde 2014-09-16 09:17:16 CEST

Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure MGA4-64-OK

Comment 6 claire robinson 2014-09-19 18:44:04 CEST
Testing complete mga3 32

For another mirror and another RPM try these :)

curl -l ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/4/i586/media/core/updates/

and

curl -o qarte.rpm ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/4/i586/media/core/updates/qarte-2.2.0-1.mga4.noarch.rpm

Whiteboard: MGA3TOO has_procedure MGA4-64-OK => MGA3TOO has_procedure mga3-32-ok MGA4-64-OK

Comment 7 claire robinson 2014-09-19 19:33:35 CEST
Testing complete mga3 64

Whiteboard: MGA3TOO has_procedure mga3-32-ok MGA4-64-OK => MGA3TOO has_procedure mga3-32-ok mga3-64-ok MGA4-64-OK

Comment 8 Len Lawrence 2014-09-19 23:02:49 CEST
Testing in mga4 x86_64

The exact commands from comment #6 worked fine.

CC: (none) => tarazed25

Comment 9 Len Lawrence 2014-09-19 23:07:13 CEST
curl -L www.mageia.org > test.html

The site came up in Firefox with no errors.

Hardware: i586 => x86_64

Comment 10 Len Lawrence 2014-09-19 23:10:51 CEST
(In reply to Len Lawrence from comment #9)
> curl -L www.mageia.org > test.html
> 
> The site came up in Firefox with no errors.

Well at least the documentation links worked - others treated as local links.
David Walser 2014-09-19 23:23:32 CEST

Hardware: x86_64 => All

Comment 11 olivier charles 2014-09-21 22:12:32 CEST
Following procedure from Comment2

Testing on MGA3 x86_64 in Virtualbox
Everything OK for me as well

Testing on MGA4 x86_64 using the same procedure
Everything OK except 

 curl imap://login:password@imap.free.fr

returns list of folders  :

* LIST () "/" Trash
* LIST () "/" INBOX/sent-mail
* LIST () "/" Sent
* LIST () "/" INBOX

instead of the first message.

CC: (none) => olchal
Version: 4 => Cauldron

Comment 12 David Walser 2014-09-21 22:15:19 CEST
Don't change the version assignment on the bugs.

Version: Cauldron => 4

Comment 13 claire robinson 2014-09-22 14:04:21 CEST
Testing complete mga4 32

Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok MGA4-64-OK => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok MGA4-64-OK

Comment 14 claire robinson 2014-09-22 14:24:03 CEST
Validating. Separate advisories uploaded for mga3 and 4.

Could sysadmin please push to 3 & 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok MGA4-64-OK => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok MGA4-64-OK
CC: (none) => sysadmin-bugs

Comment 15 Mageia Robot 2014-09-24 18:44:52 CEST
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0384.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 16 Mageia Robot 2014-09-24 18:44:54 CEST
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0385.html

Note You need to log in before you can comment on or make changes to this bug.