cURL has issued advisories today (August 9): https://curl.haxx.se/docs/adv_20170809A.html https://curl.haxx.se/docs/adv_20170809B.html https://curl.haxx.se/docs/adv_20170809C.html The last, CVE-2017-1000099, only affects Mageia 6. The others also affect Mageia 5.
Whiteboard: (none) => MGA5TOOBlocks: (none) => 19700
pushed for mga6 src.rpm: curl-7.54.1-2.1.mga6
CC: (none) => mageia
pushed for mga5: src.rpm: curl-7.40.0-3.8.mga5
Assignee: shlomif => qa-bugs
Almost there. You forgot to patch CVE-2017-100010[01] in Mageia 6. We need to update Cauldron to 7.55.0. In Mageia 5, do you really think it's OK to disable all tests? Perhaps some of the failing ones (due to patches added previously) indicate some breakage caused by the patches.
CC: (none) => qa-bugsAssignee: qa-bugs => mageia
it tested and it fails w/o my patches, i don't know how it built before. i will add the patches for mga6
seems related to patch curl-7.40.0-CVE-2016-9586.patch ( build failure on mga5 )
Yes we haven't been able to build an update for Mageia 5 in quite some time because of a previously added patch.
pushed in cauldron. i think we can validate the mga5 w/o the tests or we need someone to fix the make file for the related patch
OK. Mageia 5 is missing a patch for CVE-2017-7407: https://bugs.mageia.org/show_bug.cgi?id=19700#c7 If we add that I guess we can push it.
added src.rpm: curl-7.40.0-3.10.mga5
Thanks Nicolas! I'll handle the Mageia 5 update in Bug 19700. Advisory to come. Updated packages listed below. curl-7.54.1-2.2.mga6 libcurl4-7.54.1-2.2.mga6 libcurl-devel-7.54.1-2.2.mga6 curl-examples-7.54.1-2.2.mga6 from curl-7.54.1-2.2.mga6.src.rpm
Whiteboard: MGA5TOO => (none)Assignee: mageia => qa-bugsCC: qa-bugs => (none)
Advisory: ======================== Updated curl packages fix security vulnerabilities: When asking to get a file from a file:// URL, libcurl provides a feature that outputs meta-data about the file using HTTP-like headers. The code doing this would send the wrong buffer to the user (stdout or the application's provide callback), which could lead to other private data from the heap to get inadvertently displayed. The wrong buffer was an uninitialized memory area allocated on the heap and if it turned out to not contain any zero byte, it would continue and display the data following that buffer in memory (CVE-2017-1000099). When doing a TFTP transfer and curl/libcurl is given a URL that contains a very long file name (longer than about 515 bytes), the file name is truncated to fit within the buffer boundaries, but the buffer size is still wrongly updated to use the untruncated length. This too large value is then used in the sendto() call, making curl attempt to send more data than what is actually put into the buffer. The sendto() function will then read beyond the end of the heap based buffer. A malicious HTTP(S) server could redirect a vulnerable libcurl-using client to a crafted TFTP URL (if the client hasn't restricted which protocols it allows redirects to) and trick it to send private memory contents to a remote server over UDP. Limit curl's redirect protocols with --proto-redir and libcurl's with CURLOPT_REDIR_PROTOCOLS (CVE-2017-1000100). curl supports "globbing" of URLs, in which a user can pass a numerical range to have the tool iterate over those numbers to do a sequence of transfers. In the globbing function that parses the numerical range, there was an omission that made curl read a byte beyond the end of the URL if given a carefully crafted, or just wrongly written, URL. The URL is stored in a heap based buffer, so it could then be made to wrongly read something else instead of crashing (CVE-2017-1000101). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000099 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000100 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000101 https://curl.haxx.se/docs/adv_20170809A.html https://curl.haxx.se/docs/adv_20170809B.html https://curl.haxx.se/docs/adv_20170809C.html
Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=14468#c4 (basic testing is fine since most things are checked during build-time tests) Also, the first upstream advisory has a PoC.
Whiteboard: (none) => has_procedure
Installed without issue but it is NOT working. A simple test failed. $ rpm -qa | grep curl.*7.40 lib64curl4-7.40.0-3.8.mga5 libcurl4-7.40.0-3.8.mga5 curl-7.40.0-3.8.mga5 $ curl -vv http://example.com/ * Rebuilt URL to: http://ex/example.com * getaddrinfo(3) failed for //:80 * Couldn't resolve host '//' * Closing connection 0 curl: (6) Couldn't resolve host '//' $ curl -vv http://example.com:80/ * Rebuilt URL to: http://ex/example.com:80 * getaddrinfo(3) failed for //:80 * Couldn't resolve host '//' * Closing connection 0 curl: (6) Couldn't resolve host '//' *** Error in `curl': corrupted double-linked list: 0x0000000001021c00 *** ^C $ # Curiously, it works without http://. $ curl -Ivv example.com * Rebuilt URL to: example.com/ * Trying 93.184.216.34... * Connected to example.com (93.184.216.34) port 80 (#0) > HEAD / HTTP/1.1 > User-Agent: curl/7.40.0 > Host: example.com > Accept: */* > < HTTP/1.1 200 OK HTTP/1.1 200 OK < Accept-Ranges: bytes Accept-Ranges: bytes < Cache-Control: max-age=604800 Cache-Control: max-age=604800 < Content-Type: text/html Content-Type: text/html < Date: Thu, 10 Aug 2017 17:18:29 GMT Date: Thu, 10 Aug 2017 17:18:29 GMT < Etag: "359670651+gzip" Etag: "359670651+gzip" < Expires: Thu, 17 Aug 2017 17:18:29 GMT Expires: Thu, 17 Aug 2017 17:18:29 GMT < Last-Modified: Fri, 09 Aug 2013 23:54:35 GMT Last-Modified: Fri, 09 Aug 2013 23:54:35 GMT < Server: ECS (lga/13A4) Server: ECS (lga/13A4) < X-Cache: HIT X-Cache: HIT < Content-Length: 1270 Content-Length: 1270 < * Connection #0 to host example.com left intact
Oops! Sorry for the noise the above comment, should have gone to Bug 19700.
mga6 x86_64 Tried out the commands listed against the previous bug report 14468#4. Interesting to see that the old distrib-coffee repositories are still there. Not at all sure what my Google imail password is. Trying to access my email via curl simply hung (using the last password written down). After the update the same tests produced the same results. Could not find the curl examples but they belong to the Development/C group so are likely to be files that need compiling. "Example files for curl development"
CC: (none) => tarazed25
Whiteboard: has_procedure => MGA5TOO has_procedure MGA6-64-OK
Whiteboard: MGA5TOO has_procedure MGA6-64-OK => has_procedure MGA6-64-OK
Validating, advisory uploaded.
Whiteboard: has_procedure MGA6-64-OK => advisory has_procedure MGA6-64-OKKeywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0281.html
Status: NEW => RESOLVEDResolution: (none) => FIXED