Upstream has issued an advisory today (November 5):
It is fixed upstream in 7.39.0 and there is a patch:
A freeze push request has been sent for Cauldron.
Mageia 3 and Mageia 4 are also affected.
Steps to Reproduce:
Dan, I tried updating to 7.39.0, but test 2034 failed:
For now I've backported the patch, but it'd be nice if we could get 7.39.0 built.
Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron.
I don't have a concise description of the issue for now, so see the upstream advisory. I'll post an advisory once another distro provides a concise description.
Updated packages in core/updates_testing:
MGA4TOO, MGA3TOO =>
Test 2034 failing in some environments is a known issue without a solution yet: http://curl.haxx.se/mail/lib-2014-11/0040.html I suggest just disabling it (with !2034 in the test line) for the moment until it's figured out upstream.
Testing procedure (based off https://bugs.mageia.org/show_bug.cgi?id=4307#c11 but updated):
$ curl pop3://<login>:<password>@<mailhost>/1
to retrieve first email from pop3
$ curl imap://<login>:<password>@<mailhost>
to do the same with imap
$ curl -L https://<some-website.com>
shows website source
$ curl -l ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/4/i586/media/core/updates/
shows ftp directory listing
$ curl -o qarte.rpm ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/4/i586/media/core/updates/qarte-2.2.0-1.mga4.noarch.rpm
Tested on Mageia3-64 following procedure in comment 4.
First tested with core package :
# rpm -q curl
all 5 tests OK
Then updated to testing packages :
All 5 tests passed.
MGA3TOO has_procedure =>
MGA3TOO has_procedure MGA3-64-OK
Debian has issued an advisory for this today (November 7):
Updated curl packages fix security vulnerability:
Symeon Paraschoudis discovered that the curl_easy_duphandle() function in
cURL has a bug that can lead to libcurl eventually sending off sensitive data
that was not intended for sending, while performing a HTTP POST operation.
This bug requires CURLOPT_COPYPOSTFIELDS and curl_easy_duphandle() to be used
in that order, and then the duplicate handle must be used to perform the HTTP
POST. The curl command line tool is not affected by this problem as it does
not use this sequence (CVE-2014-3707).
Tests passed OK for curl-7.34.0-1.4.mga4 on x86_64: HTTPS/FTP/FTP -o
Not tested: IMAP/POP3
The curl package has an extensive build-time test suite containing hundreds of tests. It does not need to be extensively tested after the fact. If it installs cleanly and there's no obvious regressions, it's fine.
Idem as Olivier.
Confirming MGA4 x64 Comment 7 Comment 9.
Tried the last 3 examples from Comment 4 both *before* and *after* the update. Results were the same:
$ curl -L https://<some-website.com> fetched the page source.
$ curl -l ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/4/i586/media/core/updates/ listed the packages.
$ curl -o qarte.rpm ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/4/i586/media/core/updates/qarte-2.2.0-1.mga4.noarch.rpm downloaded the qarte.rpm file.
In the light of Comment 8, OKing this.
MGA3TOO has_procedure MGA3-64-OK =>
MGA3TOO has_procedure MGA3-64-OK MGA4-64-OK
Tested fine with http:// and https:// on MGA4-32-OK.
MGA3TOO has_procedure MGA3-64-OK MGA4-64-OK =>
MGA3TOO has_procedure MGA3-64-OK MGA4-64-OK <GA4-32-OK
Forgot this... In the CVE etc, and Comment 6 "The curl command line tool is not affected by this problem" I wonder at the relevance of the tests done.
Curl's own description says, in addition, "libcurl is used by many applications".
Apologies in advance if this remark is invalid.
Tested fine with http:// and https:// on MGA3-32-OK.
MGA3TOO has_procedure MGA3-64-OK MGA4-64-OK <GA4-32-OK =>
MGA3TOO has_procedure MGA3-64-OK MGA4-64-OK MGA4-32-OK MGA3-32-OK
Validating. Advisory uploaded.
Could sysadmin please push to 3 & 4 updates
MGA3TOO has_procedure MGA3-64-OK MGA4-64-OK MGA4-32-OK MGA3-32-OK =>
MGA3TOO has_procedure advisory MGA3-64-OK MGA4-64-OK MGA4-32-OK MGA3-32-OKCC:
W.r.t. comment 6, these tests aren't to ensure that the security issue has been patched, but rather to ensure that there haven't been regressions in core curl functionality. Test 545 in the curl test suite does a check for regressions in the functionality affected by the patch, and that's run at RPM build time.
An update for this issue has been pushed to Mageia Updates repository.
MGA4-64 on HP Probook 6555b KDE
ref testcases Comment 4
I did no try IMAP
Last 3 examples complete successfully.
The test on pop3 : mixed bag. Tried with 3 different providers:
one: responds : curl: (67) Authentication cancelled
second (gmail): just times out
third retrieves mail OK.
@comment 17: sorry, I updated wrong bug.
Just to rubber-stamp it ran this in a 32-bit vbox.
Executed the website and download tests after the update and all is well.
So did I.