Bug 14468 - curl new security issue CVE-2014-3707
Summary: curl new security issue CVE-2014-3707
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/619474/
Whiteboard: MGA3TOO has_procedure advisory MGA3-6...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-11-05 20:38 CET by David Walser
Modified: 2016-01-29 22:39 CET (History)
9 users (show)

See Also:
Source RPM: curl-7.34.0-1.3.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-11-05 20:38:17 CET
Upstream has issued an advisory today (November 5):
http://curl.haxx.se/docs/adv_20141105.html

It is fixed upstream in 7.39.0 and there is a patch:
http://curl.haxx.se/CVE-2014-3707.patch

A freeze push request has been sent for Cauldron.

Mageia 3 and Mageia 4 are also affected.

Reproducible: 

Steps to Reproduce:
David Walser 2014-11-05 20:38:24 CET

Whiteboard: (none) => MGA4TOO, MGA3TOO

Comment 1 David Walser 2014-11-06 00:04:34 CET
Dan, I tried updating to 7.39.0, but test 2034 failed:
http://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/20141105224234.ennael.valstar.518/log/curl-7.39.0-1.mga5/build.0.20141105224306.log

For now I've backported the patch, but it'd be nice if we could get 7.39.0 built.

CC: (none) => dan

Comment 2 David Walser 2014-11-06 00:13:33 CET
Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron.

I don't have a concise description of the issue for now, so see the upstream advisory.  I'll post an advisory once another distro provides a concise description.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3707
http://curl.haxx.se/docs/adv_20141105.html
========================

Updated packages in core/updates_testing:
========================
curl-7.28.1-6.6.mga3
libcurl4-7.28.1-6.6.mga3
libcurl-devel-7.28.1-6.6.mga3
curl-examples-7.28.1-6.6.mga3
curl-7.34.0-1.4.mga4
libcurl4-7.34.0-1.4.mga4
libcurl-devel-7.34.0-1.4.mga4
curl-examples-7.34.0-1.4.mga4

from SRPMS:
curl-7.28.1-6.6.mga3.src.rpm
curl-7.34.0-1.4.mga4.src.rpm

Version: Cauldron => 4
Assignee: bugsquad => qa-bugs
Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO
Severity: normal => major

Comment 3 Dan Fandrich 2014-11-06 10:46:44 CET
Test 2034 failing in some environments is a known issue without a solution yet: http://curl.haxx.se/mail/lib-2014-11/0040.html  I suggest just disabling it (with !2034 in the test line) for the moment until it's figured out upstream.
Comment 4 Rémi Verschelde 2014-11-07 16:40:12 CET
Testing procedure (based off https://bugs.mageia.org/show_bug.cgi?id=4307#c11 but updated):

$ curl pop3://<login>:<password>@<mailhost>/1

to retrieve first email from pop3

$ curl imap://<login>:<password>@<mailhost>

to do the same with imap

$ curl -L https://<some-website.com>

shows website source

$ curl -l ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/4/i586/media/core/updates/

shows ftp directory listing

$ curl -o qarte.rpm ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/4/i586/media/core/updates/qarte-2.2.0-1.mga4.noarch.rpm

CC: (none) => remi
Whiteboard: MGA3TOO => MGA3TOO has_procedure

Comment 5 olivier charles 2014-11-07 20:40:23 CET
Tested on Mageia3-64 following procedure in comment 4.

First tested with core package :
# rpm -q curl
curl-7.28.1-6.5.mga3
all 5 tests OK

Then updated to testing packages :
- curl-7.28.1-6.6.mga3.x86_64
- lib64curl4-7.28.1-6.6.mga3.x86_64

All 5 tests passed.

CC: (none) => olchal
Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure MGA3-64-OK

Comment 6 David Walser 2014-11-07 20:45:04 CET
Debian has issued an advisory for this today (November 7):
https://lists.debian.org/debian-security-announce/2014/msg00257.html

Advisory:
========================

Updated curl packages fix security vulnerability:

Symeon Paraschoudis discovered that the curl_easy_duphandle() function in
cURL has a bug that can lead to libcurl eventually sending off sensitive data
that was not intended for sending, while performing a HTTP POST operation.
This bug requires CURLOPT_COPYPOSTFIELDS and curl_easy_duphandle() to be used
in that order, and then the duplicate handle must be used to perform the HTTP
POST. The curl command line tool is not affected by this problem as it does
not use this sequence (CVE-2014-3707).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3707
http://curl.haxx.se/docs/adv_20141105.html
https://www.debian.org/security/2014/dsa-3069

URL: (none) => http://lwn.net/Vulnerabilities/619474/

Comment 7 Olivier FAURAX 2014-11-10 00:08:09 CET
Tests passed OK for curl-7.34.0-1.4.mga4 on x86_64: HTTPS/FTP/FTP -o
Not tested: IMAP/POP3

CC: (none) => olivier

Comment 8 David Walser 2014-11-10 00:10:09 CET
The curl package has an extensive build-time test suite containing hundreds of tests.  It does not need to be extensively tested after the fact.  If it installs cleanly and there's no obvious regressions, it's fine.
Comment 9 Herman Viaene 2014-11-11 15:46:55 CET
Idem as Olivier.

CC: (none) => herman.viaene

Comment 10 Lewis Smith 2014-11-12 19:56:56 CET
Confirming MGA4 x64 Comment 7 Comment 9.

Tried the last 3 examples from Comment 4 both *before* and *after* the update. Results were the same:
 $ curl -L https://<some-website.com> fetched the page source.
 $ curl -l ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/4/i586/media/core/updates/ listed the packages.
 $ curl -o qarte.rpm ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/4/i586/media/core/updates/qarte-2.2.0-1.mga4.noarch.rpm downloaded the qarte.rpm file.

In the light of Comment 8, OKing this.

CC: (none) => lewyssmith
Whiteboard: MGA3TOO has_procedure MGA3-64-OK => MGA3TOO has_procedure MGA3-64-OK MGA4-64-OK

Comment 11 Shlomi Fish 2014-11-12 20:03:22 CET
Tested fine with http:// and https:// on MGA4-32-OK.

CC: (none) => shlomif
Whiteboard: MGA3TOO has_procedure MGA3-64-OK MGA4-64-OK => MGA3TOO has_procedure MGA3-64-OK MGA4-64-OK <GA4-32-OK

Comment 12 Lewis Smith 2014-11-12 20:04:42 CET
Forgot this... In the CVE etc, and Comment 6 "The curl command line tool is not affected by this problem" I wonder at the relevance of the tests done.
Curl's own description says, in addition, "libcurl is used by many applications".
Apologies in advance if this remark is invalid.
Comment 13 Shlomi Fish 2014-11-12 20:08:29 CET
Tested fine with http:// and https:// on MGA3-32-OK.

Whiteboard: MGA3TOO has_procedure MGA3-64-OK MGA4-64-OK <GA4-32-OK => MGA3TOO has_procedure MGA3-64-OK MGA4-64-OK MGA4-32-OK MGA3-32-OK

Comment 14 claire robinson 2014-11-13 10:06:07 CET
Validating. Advisory uploaded.

Could sysadmin please push to 3 & 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure MGA3-64-OK MGA4-64-OK MGA4-32-OK MGA3-32-OK => MGA3TOO has_procedure advisory MGA3-64-OK MGA4-64-OK MGA4-32-OK MGA3-32-OK
CC: (none) => sysadmin-bugs

Comment 15 Dan Fandrich 2014-11-13 11:20:00 CET
W.r.t. comment 6, these tests aren't to ensure that the security issue has been patched, but rather to ensure that there haven't been regressions in core curl functionality. Test 545 in the curl test suite does a check for regressions in the functionality affected by the patch, and that's run at RPM build time.
Comment 16 Mageia Robot 2014-11-14 01:58:14 CET
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0444.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 17 Herman Viaene 2015-01-09 10:49:38 CET
MGA4-64 on HP Probook 6555b KDE
ref testcases Comment 4
I did no try IMAP
Last 3 examples complete successfully.
The test on pop3 : mixed bag. Tried with 3 different providers:
one: responds : curl: (67) Authentication cancelled
second (gmail): just times out
third retrieves mail OK.
Comment 18 Herman Viaene 2015-01-09 10:52:40 CET
@comment 17: sorry, I updated wrong bug.
Comment 19 Len Lawrence 2016-01-29 22:38:39 CET
Just to rubber-stamp it ran this in a 32-bit vbox.
Executed the website and download tests after the update and all is well.

CC: (none) => tarazed25

Comment 20 Len Lawrence 2016-01-29 22:39:22 CET
So did I.

Note You need to log in before you can comment on or make changes to this bug.