Bug 16140 - curl new security issues CVE-2015-3236 and CVE-2015-3237
Summary: curl new security issues CVE-2015-3236 and CVE-2015-3237
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/649074/
Whiteboard: has_procedure MGA5-32-OK MGA5-64-OK a...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2015-06-17 17:24 CEST by David Walser
Modified: 2015-07-05 19:23 CEST (History)
4 users (show)

See Also:
Source RPM: curl-7.40.0-3.mga5.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2015-06-17 17:24:29 CEST 
Upstream has issued advisories today (June 17):
http://curl.haxx.se/docs/adv_20150617A.html
http://curl.haxx.se/docs/adv_20150617B.html

Patches committed in Cauldron SVN.  They will have to be committed in Mageia 5 SVN after it is branched.

Mageia 4 is not affected.

Reproducible: 

Steps to Reproduce:
David Walser 2015-06-17 17:24:38 CEST

Whiteboard: (none) => MGA5TOO

Sander Lepik 2015-06-20 15:24:35 CEST

CC: (none) => mageia
Assignee: bugsquad => shlomif

Comment 1 David Walser 2015-06-20 16:44:19 CEST 
Patched packages uploaded for Mageia 5 and Cauldron.

Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=14468#c4

Advisory:
========================

Updated curl packages fix security vulnerabilities:

libcurl can wrongly send HTTP credentials when re-using connections. Even if
the handle for an HTTP connection is reset, it retains the credentials, which
can cause them to be unintentionally leaked in subsequent requests
(CVE-2015-3236).

libcurl can get tricked by a malicious SMB server to send off data it did not
intend to. A malicious SMB server can use this to access arbitrary process
memory, or to crash the client, causing a denial of service (CVE-2015-3237).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3236
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3237
http://curl.haxx.se/docs/adv_20150617A.html
http://curl.haxx.se/docs/adv_20150617B.html
========================

Updated packages in core/updates_testing:
========================
curl-7.40.0-3.1.mga5
libcurl4-7.40.0-3.1.mga5
libcurl-devel-7.40.0-3.1.mga5
curl-examples-7.40.0-3.1.mga5

from curl-7.40.0-3.1.mga5.src.rpm

Version: Cauldron => 5
Assignee: shlomif => qa-bugs
Whiteboard: MGA5TOO => (none)

David Walser 2015-06-23 20:33:05 CEST

URL: (none) => http://lwn.net/Vulnerabilities/649074/

Comment 2 David Walser 2015-06-24 19:16:58 CEST 
Fedora has issued an advisory for this on June 20:
https://lists.fedoraproject.org/pipermail/package-announce/2015-June/160660.html
David Walser 2015-07-04 20:34:05 CEST

Whiteboard: (none) => has_procedure

Comment 3 Marc Lattemann 2015-07-04 21:01:07 CEST 
tested mga5 for 32 and 64bit. No specific poc found, so used tests as linked in comment 1 (expect using pop3s and imaps):
everything is working as expected. 
Please upload advisory and validate package. Thanks
Marc Lattemann 2015-07-04 21:01:23 CEST

CC: (none) => marc.lattemann
Whiteboard: has_procedure => has_procedure MGA5-32-OK MGA5-6

Marc Lattemann 2015-07-04 21:01:35 CEST

Whiteboard: has_procedure MGA5-32-OK MGA5-6 => has_procedure MGA5-32-OK MGA5-64-OK

Comment 4 Dave Hodgins 2015-07-04 21:31:05 CEST 
Advisory committed to svn.

Someone from the sysadmin team please push 16140.adv to updates.

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA5-32-OK MGA5-64-OK => has_procedure MGA5-32-OK MGA5-64-OK advisory
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 5 Mageia Robot 2015-07-05 19:23:35 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0263.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.