Bug 15746 - curl new security issues CVE-2015-314[3458]
Summary: curl new security issues CVE-2015-314[3458]
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/641423/
Whiteboard: has_procedure advisory MGA4-64-OK
Keywords: validated_update
Depends on:
Reported: 2015-04-22 16:58 CEST by David Walser
Modified: 2015-05-03 02:20 CEST (History)
2 users (show)

See Also:
Source RPM: curl-7.40.0-1.mga5.src.rpm
Status comment:


Description David Walser 2015-04-22 16:58:58 CEST
cURL 7.42.0 has been released today (April 22):

There are 4 associated security advisories:
http://curl.haxx.se/docs/adv_20150422D.html (CVE-2015-3144)
http://curl.haxx.se/docs/adv_20150422C.html (CVE-2015-3145)
http://curl.haxx.se/docs/adv_20150422B.html (CVE-2015-3148)
http://curl.haxx.se/docs/adv_20150422A.html (CVE-2015-3143)

We have curl 7.34.0 in Mageia 4, which the advisory says is not affected by CVE-2015-3144.  The linked upstream patches for CVE-2015-3143 and CVE-2015-3145 apply cleanly to 7.34.0.  The CVE-2015-3148 patch does not apply, and looking at the code, I don't see how 7.34.0 is affected, even though the advisory says that it is.

Dan, do you have any insight on this?


Steps to Reproduce:
David Walser 2015-04-22 16:59:12 CEST

Whiteboard: (none) => MGA5TOO, MGA4TOO

Comment 1 David Walser 2015-04-22 17:25:24 CEST
Debian has issued an advisory for this today (April 22):

I see in this commit for wheezy where they had to also add an intermediate commit to introduce the code that was patched in the CVE-2015-3148 patch:

It's not clear to me how this isn't just introducing the vulnerability and then fixing it, but I guess I'm missing something.  I'll add the additional patch.
Comment 2 David Walser 2015-04-22 17:39:29 CEST
Patches checked into Mageia 4 and Cauldron SVN.

Freeze push requested for Cauldron.

The DSA referenced above will be posted here:
David Walser 2015-04-22 19:30:04 CEST

URL: (none) => http://lwn.net/Vulnerabilities/641423/

Comment 3 Dan Fandrich 2015-04-22 22:43:11 CEST
The extra Debian patch isn't introducing the vulnerability; rather it's fixing a GSS data structure lifetime issue that doesn't affect connection reuse. Frankly, I'm a bit surprised Negotiate worked at all without that patch (Negotiate is not covered by the curl test suite, unfortunately). It's the connclose() call in the CVE-3148 patch that fixes the security issue, and it could also have been applied by rediffing the patch. But, I think the current set of patches in SVN is a better solution; I'm happy with what I see there now. Thanks for taking care of this.
Dan Fandrich 2015-04-22 22:43:33 CEST

Assignee: dan => luigiwalser

Comment 4 David Walser 2015-04-24 17:05:11 CEST
Patched packages uploaded for Mageia 4 and Cauldron.


Updated curl packages fix security vulnerabilities:

NTLM-authenticated connections could be wrongly reused for requests without
any credentials set, leading to HTTP requests being sent over the connection
authenticated as a different user (CVE-2015-3143).

When parsing HTTP cookies, if the parsed cookie's "path" element consists of a
single double-quote, libcurl would try to write to an invalid heap memory
address. This could allow remote attackers to cause a denial of service
(crash) (CVE-2015-3145).

When doing HTTP requests using the Negotiate authentication method along with
NTLM, the connection used would not be marked as authenticated, making it
possible to reuse it and send requests for one user over the connection
authenticated as a different user (CVE-2015-3148).


Updated packages in core/updates_testing:

from curl-7.34.0-1.6.mga4.src.rpm

Version: Cauldron => 4
Assignee: luigiwalser => qa-bugs
Whiteboard: MGA5TOO, MGA4TOO => (none)

Comment 5 Lewis Smith 2015-05-01 19:00:17 CEST
Testing reference:

Testing MGA4 x64 real hardware.

With latest issued curl, did tests 1 3 4 5, saved their ouptut.

Updated to:
and re-ran the same 4 tests, again saving their output.
Compared the pre & post outputs, all of which were identical apart from hidden token values in a web page (Bug 14468). OK.

CC: (none) => lewyssmith
Whiteboard: (none) => MGA4-64-OK

Comment 6 claire robinson 2015-05-02 14:21:45 CEST
Validating. Advisory uploaded.

Please push to 4 updates


Keywords: (none) => validated_update
Whiteboard: MGA4-64-OK => has_procedure advisory MGA4-64-OK
CC: (none) => sysadmin-bugs

Comment 7 Mageia Robot 2015-05-03 02:20:14 CEST
An update for this issue has been pushed to Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.