Upstream has issued an advisory today (November 5): http://curl.haxx.se/docs/adv_20141105.html It is fixed upstream in 7.39.0 and there is a patch: http://curl.haxx.se/CVE-2014-3707.patch A freeze push request has been sent for Cauldron. Mageia 3 and Mageia 4 are also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO, MGA3TOO
Dan, I tried updating to 7.39.0, but test 2034 failed: http://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/20141105224234.ennael.valstar.518/log/curl-7.39.0-1.mga5/build.0.20141105224306.log For now I've backported the patch, but it'd be nice if we could get 7.39.0 built.
CC: (none) => dan
Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron. I don't have a concise description of the issue for now, so see the upstream advisory. I'll post an advisory once another distro provides a concise description. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3707 http://curl.haxx.se/docs/adv_20141105.html ======================== Updated packages in core/updates_testing: ======================== curl-7.28.1-6.6.mga3 libcurl4-7.28.1-6.6.mga3 libcurl-devel-7.28.1-6.6.mga3 curl-examples-7.28.1-6.6.mga3 curl-7.34.0-1.4.mga4 libcurl4-7.34.0-1.4.mga4 libcurl-devel-7.34.0-1.4.mga4 curl-examples-7.34.0-1.4.mga4 from SRPMS: curl-7.28.1-6.6.mga3.src.rpm curl-7.34.0-1.4.mga4.src.rpm
Version: Cauldron => 4Assignee: bugsquad => qa-bugsWhiteboard: MGA4TOO, MGA3TOO => MGA3TOOSeverity: normal => major
Test 2034 failing in some environments is a known issue without a solution yet: http://curl.haxx.se/mail/lib-2014-11/0040.html I suggest just disabling it (with !2034 in the test line) for the moment until it's figured out upstream.
Testing procedure (based off https://bugs.mageia.org/show_bug.cgi?id=4307#c11 but updated): $ curl pop3://<login>:<password>@<mailhost>/1 to retrieve first email from pop3 $ curl imap://<login>:<password>@<mailhost> to do the same with imap $ curl -L https://<some-website.com> shows website source $ curl -l ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/4/i586/media/core/updates/ shows ftp directory listing $ curl -o qarte.rpm ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/4/i586/media/core/updates/qarte-2.2.0-1.mga4.noarch.rpm
CC: (none) => remiWhiteboard: MGA3TOO => MGA3TOO has_procedure
Tested on Mageia3-64 following procedure in comment 4. First tested with core package : # rpm -q curl curl-7.28.1-6.5.mga3 all 5 tests OK Then updated to testing packages : - curl-7.28.1-6.6.mga3.x86_64 - lib64curl4-7.28.1-6.6.mga3.x86_64 All 5 tests passed.
CC: (none) => olchalWhiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure MGA3-64-OK
Debian has issued an advisory for this today (November 7): https://lists.debian.org/debian-security-announce/2014/msg00257.html Advisory: ======================== Updated curl packages fix security vulnerability: Symeon Paraschoudis discovered that the curl_easy_duphandle() function in cURL has a bug that can lead to libcurl eventually sending off sensitive data that was not intended for sending, while performing a HTTP POST operation. This bug requires CURLOPT_COPYPOSTFIELDS and curl_easy_duphandle() to be used in that order, and then the duplicate handle must be used to perform the HTTP POST. The curl command line tool is not affected by this problem as it does not use this sequence (CVE-2014-3707). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3707 http://curl.haxx.se/docs/adv_20141105.html https://www.debian.org/security/2014/dsa-3069
URL: (none) => http://lwn.net/Vulnerabilities/619474/
Tests passed OK for curl-7.34.0-1.4.mga4 on x86_64: HTTPS/FTP/FTP -o Not tested: IMAP/POP3
CC: (none) => olivier
The curl package has an extensive build-time test suite containing hundreds of tests. It does not need to be extensively tested after the fact. If it installs cleanly and there's no obvious regressions, it's fine.
Idem as Olivier.
CC: (none) => herman.viaene
Confirming MGA4 x64 Comment 7 Comment 9. Tried the last 3 examples from Comment 4 both *before* and *after* the update. Results were the same: $ curl -L https://<some-website.com> fetched the page source. $ curl -l ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/4/i586/media/core/updates/ listed the packages. $ curl -o qarte.rpm ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/4/i586/media/core/updates/qarte-2.2.0-1.mga4.noarch.rpm downloaded the qarte.rpm file. In the light of Comment 8, OKing this.
CC: (none) => lewyssmithWhiteboard: MGA3TOO has_procedure MGA3-64-OK => MGA3TOO has_procedure MGA3-64-OK MGA4-64-OK
Tested fine with http:// and https:// on MGA4-32-OK.
CC: (none) => shlomifWhiteboard: MGA3TOO has_procedure MGA3-64-OK MGA4-64-OK => MGA3TOO has_procedure MGA3-64-OK MGA4-64-OK <GA4-32-OK
Forgot this... In the CVE etc, and Comment 6 "The curl command line tool is not affected by this problem" I wonder at the relevance of the tests done. Curl's own description says, in addition, "libcurl is used by many applications". Apologies in advance if this remark is invalid.
Tested fine with http:// and https:// on MGA3-32-OK.
Whiteboard: MGA3TOO has_procedure MGA3-64-OK MGA4-64-OK <GA4-32-OK => MGA3TOO has_procedure MGA3-64-OK MGA4-64-OK MGA4-32-OK MGA3-32-OK
Validating. Advisory uploaded. Could sysadmin please push to 3 & 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA3TOO has_procedure MGA3-64-OK MGA4-64-OK MGA4-32-OK MGA3-32-OK => MGA3TOO has_procedure advisory MGA3-64-OK MGA4-64-OK MGA4-32-OK MGA3-32-OKCC: (none) => sysadmin-bugs
W.r.t. comment 6, these tests aren't to ensure that the security issue has been patched, but rather to ensure that there haven't been regressions in core curl functionality. Test 545 in the curl test suite does a check for regressions in the functionality affected by the patch, and that's run at RPM build time.
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0444.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
MGA4-64 on HP Probook 6555b KDE ref testcases Comment 4 I did no try IMAP Last 3 examples complete successfully. The test on pop3 : mixed bag. Tried with 3 different providers: one: responds : curl: (67) Authentication cancelled second (gmail): just times out third retrieves mail OK.
@comment 17: sorry, I updated wrong bug.
Just to rubber-stamp it ran this in a 32-bit vbox. Executed the website and download tests after the update and all is well.
CC: (none) => tarazed25
So did I.