Upstream has issued an advisory today (September 14): https://curl.haxx.se/docs/adv_20160914.html Updated package uploaded for Cauldron. Patched package uploaded for Mageia 5. Advisory: ======================== Updated curl packages fix security vulnerability: The four libcurl functions curl_escape(), curl_easy_escape(), curl_unescape and curl_easy_unescape perform string URL percent escaping and unescaping. They accept custom string length inputs in signed integer arguments. The provided string length arguments were not properly checked and due to arithmetic in the functions, passing in the length 0xffffffff (2^32-1 or UINT_MAX or even just -1) would end up causing an allocation of zero bytes of heap memory that curl would attempt to write gigabytes of data into (CVE-2016-7167). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7167 https://curl.haxx.se/docs/adv_20160914.html ======================== Updated packages in core/updates_testing: ======================== curl-7.40.0-3.5.mga5 libcurl4-7.40.0-3.5.mga5 libcurl-devel-7.40.0-3.5.mga5 curl-examples-7.40.0-3.5.mga5 from curl-7.40.0-3.5.mga5.src.rpm
Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=14468#c4 (basic testing is fine since most things are checked during build-time tests)
Whiteboard: (none) => has_procedure
MGA5-32 on Acer D620 Xfce No installation issues. Did tests as refered above, except IMAP, all OK.
CC: (none) => herman.viaene
Whiteboard: has_procedure => has_procedure MGA5-32-OK
URL: (none) => http://lwn.net/Vulnerabilities/700965/
Testing Mageia 5 x64. BEFORE update; ran through the tests (also except IMAP) cited in the Comment 1 link just to make sure it worked. AFTER update to: curl-7.40.0-3.5.mga5 lib64curl4-7.40.0-3.5.mga5 1) $ curl pop3://user:password@pop.free.fr/1 output the 1st queued message. 2) $ curl -L https://ixquick.com output the HTML page. 3) $ curl -l ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/4/i586/media/core/updates/ output the relevant updates directory listing. 4) $ curl -o qarte.rpm ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/4/i586/media/core/updates/qarte-2.2.0-1.mga4.noarch.rpm % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 365k 100 365k 0 0 114k 0 0:00:03 0:00:03 --:--:-- 116k $ ls -l -rw-r--r-- 1 lewis lewis 373896 Med 19 21:26 qarte.rpm i.e. the specified file was correctly downloaded. This update is OK. Validated.
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA5-32-OK => has_procedure MGA5-32-OK MGA5-64-OKCC: (none) => lewyssmith, sysadmin-bugs
Advisory added to svn
CC: (none) => davidwhodginsWhiteboard: has_procedure MGA5-32-OK MGA5-64-OK => has_procedure MGA5-32-OK MGA5-64-OK advisory
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0316.html
Status: NEW => RESOLVEDResolution: (none) => FIXED