14985 – curl new security issue CVE-2014-8150

Bug 14985 - curl new security issue CVE-2014-8150

Summary: curl new security issue CVE-2014-8150

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	4
Hardware:	i586 Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:	http://lwn.net/Vulnerabilities/628973/
Whiteboard:	has_procedure advisory MGA4-64-OK MGA...
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2015-01-08 17:54 CET by David Walser
Modified:	2015-01-09 17:44 CET (History)
CC List:	2 users (show)

See Also:
Source RPM:	curl-7.34.0-1.4.mga4.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2015-01-08 17:54:41 CET

Upstream has issued an advisory today (January 8):
http://curl.haxx.se/docs/adv_20150108B.html

The issue is fixed upstream in 7.40.0 (freeze push requested for Cauldron) and there's a patch available.

Note: 7.40.0 also fixes CVE-2014-8151, which only affects Mac OS X and iOS.

Patched packages uploaded for Mageia 4.

Advisory:
========================

Updated curl packages fix security vulnerability:

When libcurl sends a request to a server via a HTTP proxy, it copies the
entire URL into the request and sends if off. If the given URL contains line
feeds and carriage returns those will be sent along to the proxy too, which
allows the program to for example send a separate HTTP request injected
embedded in the URL (CVE-2014-8150).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8150
http://curl.haxx.se/docs/adv_20150108B.html
========================

Updated packages in core/updates_testing:
========================
curl-7.34.0-1.5.mga4
libcurl4-7.34.0-1.5.mga4
libcurl-devel-7.34.0-1.5.mga4
curl-examples-7.34.0-1.5.mga4

from curl-7.34.0-1.5.mga4.src.rpm

Reproducible: 

Steps to Reproduce:

Comment 1 David Walser 2015-01-08 17:55:12 CET

Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=14468#c4

Whiteboard: (none) => has_procedure

Comment 2 Herman Viaene 2015-01-09 10:50:45 CET

MGA4-64 on HP Probook 6555b KDE
ref testcases Comment 4
I did no try IMAP
Last 3 examples complete successfully.
The test on pop3 : mixed bag. Tried with 3 different providers:
one: responds : curl: (67) Authentication cancelled
second (gmail): just times out
third retrieves mail OK.

CC: (none) => herman.viaene
Whiteboard: has_procedure => has_procedure MGA4-64 OK

Comment 3 Herman Viaene 2015-01-09 10:51:35 CET

Comment 4 on bug 14468.

Comment 4 Herman Viaene 2015-01-09 11:05:46 CET

MGA4-32 on AcerD620 Xfce
Tests 1, 3, 4 and 5 as above OK

Whiteboard: has_procedure MGA4-64 OK => has_procedure MGA4-64 OK MGA4-32-OK

Herman Viaene 2015-01-09 11:06:36 CET

Whiteboard: has_procedure MGA4-64 OK MGA4-32-OK => has_procedure MGA4-64-OK MGA4-32-OK

Comment 5 claire robinson 2015-01-09 16:14:23 CET

Validating. Advisory uploaded.

Please push to 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA4-64-OK MGA4-32-OK => has_procedure advisory MGA4-64-OK MGA4-32-OK
CC: (none) => sysadmin-bugs

Comment 6 David Walser 2015-01-09 17:19:00 CET

Debian has issued an advisory for this on January 8:
https://www.debian.org/security/2015/dsa-3122

URL: (none) => http://lwn.net/Vulnerabilities/628973/

Comment 7 Mageia Robot 2015-01-09 17:44:52 CET

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0020.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.