Bug 21481 - curl new security issues CVE-2017-1000099 and CVE-2017-100010[01]
Summary: curl new security issues CVE-2017-1000099 and CVE-2017-100010[01]
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: advisory has_procedure MGA6-64-OK
Keywords: validated_update
Depends on:
Blocks: 19700
  Show dependency treegraph
Reported: 2017-08-10 01:10 CEST by David Walser
Modified: 2017-08-19 11:59 CEST (History)
4 users (show)

See Also:
Source RPM: curl-7.54.1-2.mga6.src.rpm
Status comment:


Description David Walser 2017-08-10 01:10:46 CEST
cURL has issued advisories today (August 9):

The last, CVE-2017-1000099, only affects Mageia 6.  The others also affect Mageia 5.
David Walser 2017-08-10 01:11:16 CEST

Whiteboard: (none) => MGA5TOO
Blocks: (none) => 19700

Comment 1 Nicolas Lécureuil 2017-08-10 13:18:52 CEST
pushed for mga6
src.rpm:   curl-7.54.1-2.1.mga6

CC: (none) => mageia

Comment 2 Nicolas Lécureuil 2017-08-10 15:15:29 CEST
pushed for mga5:
src.rpm:   curl-7.40.0-3.8.mga5

Assignee: shlomif => qa-bugs

Comment 3 David Walser 2017-08-10 15:20:00 CEST
Almost there.  You forgot to patch CVE-2017-100010[01] in Mageia 6.  We need to update Cauldron to 7.55.0.  In Mageia 5, do you really think it's OK to disable all tests?  Perhaps some of the failing ones (due to patches added previously) indicate some breakage caused by the patches.

CC: (none) => qa-bugs
Assignee: qa-bugs => mageia

Comment 4 Nicolas Lécureuil 2017-08-10 15:31:39 CEST
it tested and it fails w/o my patches, i don't know how it built before.

i will add the patches for mga6
Comment 5 Nicolas Lécureuil 2017-08-10 15:33:44 CEST
seems related to patch curl-7.40.0-CVE-2016-9586.patch  ( build failure on mga5 )
Comment 6 David Walser 2017-08-10 16:00:31 CEST
Yes we haven't been able to build an update for Mageia 5 in quite some time because of a previously added patch.
Comment 7 Nicolas Lécureuil 2017-08-10 16:06:56 CEST
pushed in cauldron.

i think we can validate the mga5 w/o the tests or we need someone to fix the make file for the related patch
Comment 8 David Walser 2017-08-10 16:48:30 CEST
OK.  Mageia 5 is missing a patch for CVE-2017-7407:

If we add that I guess we can push it.
Comment 9 Nicolas Lécureuil 2017-08-10 17:01:51 CEST
added src.rpm:   curl-7.40.0-3.10.mga5
Comment 10 David Walser 2017-08-10 18:50:57 CEST
Thanks Nicolas!  I'll handle the Mageia 5 update in Bug 19700.

Advisory to come.  Updated packages listed below.


from curl-7.54.1-2.2.mga6.src.rpm

Whiteboard: MGA5TOO => (none)
Assignee: mageia => qa-bugs
CC: qa-bugs => (none)

Comment 11 David Walser 2017-08-10 19:01:09 CEST

Updated curl packages fix security vulnerabilities:

When asking to get a file from a file:// URL, libcurl provides a feature that
outputs meta-data about the file using HTTP-like headers. The code doing this
would send the wrong buffer to the user (stdout or the application's provide
callback), which could lead to other private data from the heap to get
inadvertently displayed. The wrong buffer was an uninitialized memory area
allocated on the heap and if it turned out to not contain any zero byte, it
would continue and display the data following that buffer in memory

When doing a TFTP transfer and curl/libcurl is given a URL that contains a very
long file name (longer than about 515 bytes), the file name is truncated to fit
within the buffer boundaries, but the buffer size is still wrongly updated to
use the untruncated length. This too large value is then used in the sendto()
call, making curl attempt to send more data than what is actually put into the
buffer. The sendto() function will then read beyond the end of the heap based
buffer. A malicious HTTP(S) server could redirect a vulnerable libcurl-using
client to a crafted TFTP URL (if the client hasn't restricted which protocols
it allows redirects to) and trick it to send private memory contents to a
remote server over UDP. Limit curl's redirect protocols with --proto-redir and
libcurl's with CURLOPT_REDIR_PROTOCOLS (CVE-2017-1000100).

curl supports "globbing" of URLs, in which a user can pass a numerical range to
have the tool iterate over those numbers to do a sequence of transfers. In the
globbing function that parses the numerical range, there was an omission that
made curl read a byte beyond the end of the URL if given a carefully crafted,
or just wrongly written, URL. The URL is stored in a heap based buffer, so it
could then be made to wrongly read something else instead of crashing

Comment 12 David Walser 2017-08-10 19:03:15 CEST
Testing procedure:

(basic testing is fine since most things are checked during build-time tests)

Also, the first upstream advisory has a PoC.

Whiteboard: (none) => has_procedure

Comment 13 PC LX 2017-08-10 19:20:42 CEST
Installed without issue but it is NOT working. A simple test failed.

$ rpm -qa | grep curl.*7.40

$ curl -vv http://example.com/
* Rebuilt URL to: http://ex/example.com
* getaddrinfo(3) failed for //:80
* Couldn't resolve host '//'
* Closing connection 0
curl: (6) Couldn't resolve host '//'

$ curl -vv http://example.com:80/
* Rebuilt URL to: http://ex/example.com:80
* getaddrinfo(3) failed for //:80
* Couldn't resolve host '//'
* Closing connection 0
curl: (6) Couldn't resolve host '//'
*** Error in `curl': corrupted double-linked list: 0x0000000001021c00 ***

$ # Curiously, it works without http://.
$ curl -Ivv example.com
* Rebuilt URL to: example.com/
*   Trying
* Connected to example.com ( port 80 (#0)
> HEAD / HTTP/1.1
> User-Agent: curl/7.40.0
> Host: example.com
> Accept: */*
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Accept-Ranges: bytes
Accept-Ranges: bytes
< Cache-Control: max-age=604800
Cache-Control: max-age=604800
< Content-Type: text/html
Content-Type: text/html
< Date: Thu, 10 Aug 2017 17:18:29 GMT
Date: Thu, 10 Aug 2017 17:18:29 GMT
< Etag: "359670651+gzip"
Etag: "359670651+gzip"
< Expires: Thu, 17 Aug 2017 17:18:29 GMT
Expires: Thu, 17 Aug 2017 17:18:29 GMT
< Last-Modified: Fri, 09 Aug 2013 23:54:35 GMT
Last-Modified: Fri, 09 Aug 2013 23:54:35 GMT
< Server: ECS (lga/13A4)
Server: ECS (lga/13A4)
< X-Cache: HIT
X-Cache: HIT
< Content-Length: 1270
Content-Length: 1270

* Connection #0 to host example.com left intact

CC: (none) => mageia

Comment 14 PC LX 2017-08-10 19:22:46 CEST
Oops! Sorry for the noise the above comment, should have gone to Bug 19700.
Comment 15 Len Lawrence 2017-08-16 19:13:02 CEST
mga6  x86_64

Tried out the commands listed against the previous bug report 14468#4.
Interesting to see that the old distrib-coffee repositories are still there.

Not at all sure what my Google imail password is.  Trying to access my email via curl simply hung (using the last password written down).

After the update the same tests produced the same results.

Could not find the curl examples but they belong to the Development/C group so are likely to be files that need compiling.  "Example files for curl development"

CC: (none) => tarazed25

Len Lawrence 2017-08-16 19:13:28 CEST

Whiteboard: has_procedure => MGA5TOO has_procedure MGA6-64-OK

David Walser 2017-08-18 02:11:26 CEST

Whiteboard: MGA5TOO has_procedure MGA6-64-OK => has_procedure MGA6-64-OK

Comment 16 Rémi Verschelde 2017-08-19 11:15:28 CEST
Validating, advisory uploaded.

Whiteboard: has_procedure MGA6-64-OK => advisory has_procedure MGA6-64-OK
Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 17 Mageia Robot 2017-08-19 11:59:14 CEST
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.