Bug 19360 - curl new security issue CVE-2016-7167
Summary: curl new security issue CVE-2016-7167
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/700965/
Whiteboard: has_procedure MGA5-32-OK MGA5-64-OK a...
Keywords: validated_update
Depends on:
Reported: 2016-09-14 21:39 CEST by David Walser
Modified: 2016-09-21 22:39 CEST (History)
4 users (show)

See Also:
Source RPM: curl-7.40.0-3.4.mga5.src.rpm
Status comment:


Description David Walser 2016-09-14 21:39:52 CEST
Upstream has issued an advisory today (September 14):

Updated package uploaded for Cauldron.

Patched package uploaded for Mageia 5.


Updated curl packages fix security vulnerability:

The four libcurl functions curl_escape(), curl_easy_escape(), curl_unescape and
curl_easy_unescape perform string URL percent escaping and unescaping. They
accept custom string length inputs in signed integer arguments. The provided
string length arguments were not properly checked and due to arithmetic in the
functions, passing in the length 0xffffffff (2^32-1 or UINT_MAX or even just -1)
would end up causing an allocation of zero bytes of heap memory that curl would
attempt to write gigabytes of data into (CVE-2016-7167).


Updated packages in core/updates_testing:

from curl-7.40.0-3.5.mga5.src.rpm
Comment 1 David Walser 2016-09-14 21:40:34 CEST
Testing procedure:

(basic testing is fine since most things are checked during build-time tests)

Whiteboard: (none) => has_procedure

Comment 2 Herman Viaene 2016-09-16 11:28:00 CEST
MGA5-32 on Acer D620 Xfce
No installation issues.
Did tests as refered above, except IMAP, all OK.

CC: (none) => herman.viaene

Herman Viaene 2016-09-16 11:28:16 CEST

Whiteboard: has_procedure => has_procedure MGA5-32-OK

David Walser 2016-09-16 19:04:22 CEST

URL: (none) => http://lwn.net/Vulnerabilities/700965/

Comment 3 Lewis Smith 2016-09-19 21:29:48 CEST
Testing Mageia 5 x64.

BEFORE update; ran through the tests (also except IMAP) cited in the Comment 1 link just to make sure it worked.

AFTER update to:

1)  $ curl pop3://user:password@pop.free.fr/1
output the 1st queued message.

2) $ curl -L https://ixquick.com
output the HTML page.

3) $ curl -l ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/4/i586/media/core/updates/
output the relevant updates directory listing.

4) $ curl -o qarte.rpm ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/4/i586/media/core/updates/qarte-2.2.0-1.mga4.noarch.rpm
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  365k  100  365k    0     0   114k      0  0:00:03  0:00:03 --:--:--  116k
 $ ls -l
 -rw-r--r-- 1 lewis lewis  373896 Med  19 21:26 qarte.rpm
i.e. the specified file was correctly downloaded.

This update is OK. Validated.

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA5-32-OK => has_procedure MGA5-32-OK MGA5-64-OK
CC: (none) => lewyssmith, sysadmin-bugs

Comment 4 Dave Hodgins 2016-09-21 16:43:28 CEST
Advisory added to svn

CC: (none) => davidwhodgins
Whiteboard: has_procedure MGA5-32-OK MGA5-64-OK => has_procedure MGA5-32-OK MGA5-64-OK advisory

Comment 5 Mageia Robot 2016-09-21 22:39:33 CEST
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.