Bug 22445 - curl new security issues CVE-2018-1000005 and CVE-2018-1000007
Summary: curl new security issues CVE-2018-1000005 and CVE-2018-1000007
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks: 22457
  Show dependency treegraph
 
Reported: 2018-01-24 12:29 CET by David Walser
Modified: 2018-02-06 07:26 CET (History)
6 users (show)

See Also:
Source RPM: curl-7.54.1-2.4.mga6.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2018-01-24 12:29:32 CET
Upstream has issued advisories today (January 24):
https://curl.haxx.se/docs/adv_2018-824a.html
https://curl.haxx.se/docs/adv_2018-b3bf.html

The issues are fixed in 7.58.0 (uploaded for Cauldron) and patches are available.

Mageia 5 is also affected.
David Walser 2018-01-24 12:30:22 CET

Whiteboard: (none) => MGA5TOO

Comment 1 Marja Van Waes 2018-01-25 09:30:51 CET
Assigning to the registered maintainer.

CC: (none) => marja11
Assignee: bugsquad => shlomif

Comment 2 Shlomi Fish 2018-01-25 18:29:35 CET
(In reply to Marja van Waes from comment #1)
> Assigning to the registered maintainer.

updated submitted to 6 core/updates_testing with %subrel 5.
David Walser 2018-01-26 04:37:07 CET

Blocks: (none) => 22457

Comment 3 David Walser 2018-01-26 04:45:15 CET
Thanks.  Mageia 5 moved to Bug 22457 and can be dealt with later.

Advisory:
========================

Updated curl packages fix security vulnerabilities:

It was reported that reading an HTTP/2 trailer could mess up future trailers
since the stored size was one byte less than required. When accessed, the data
is read out of bounds and causes either a crash or that the (too large) data
gets passed to the libcurl callback. This might lead to a denial-of-service
situation or an information disclosure if someone has a service that echoes
back or uses the trailers for something (CVE-2018-1000005).

When asked to send custom headers in its HTTP requests, libcurl will send that
set of headers first to the host in the initial URL but also, if asked to
follow redirects and a 30X HTTP response code is returned, to the host
mentioned in URL in the Location: response header value. Sending the same set
of headers to subsequest hosts is in particular a problem for applications
that pass on custom Authorization: headers, as this header often contains
privacy sensitive information or data that could allow others to impersonate
the libcurl-using client's request (CVE-2018-1000008).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000005
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000008
https://curl.haxx.se/docs/adv_2018-824a.html
https://curl.haxx.se/docs/adv_2018-b3bf.html
========================

Updated packages in core/updates_testing:
========================
curl-7.54.1-2.5.mga6
libcurl4-7.54.1-2.5.mga6
libcurl-devel-7.54.1-2.5.mga6
curl-examples-7.54.1-2.5.mga6

from curl-7.54.1-2.5.mga6.src.rpm

Whiteboard: MGA5TOO => (none)
CC: (none) => shlomif
Assignee: shlomif => qa-bugs
Component: RPM Packages => Security
QA Contact: (none) => security

Comment 4 PC LX 2018-01-27 12:34:22 CET
Installed and tested without issues.

Tested curl CLI.
Tested HTTP/1.1, HTTP/2, FTP and SSH/SFTP protocols.
Tested with tor's SOCKS5 proxy and ssh tunnel.
Tested PHP's curl support.
Tested Python's curl support.

Anyone knows a way to test the specific vulnerabilities?

System: Mageia 6, x86_64, Intel CPU.

$ uname -a
Linux marte 4.14.15-desktop-2.mga6 #1 SMP Wed Jan 24 23:42:14 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep curl | sort
curl-7.54.1-2.5.mga6
lib64curl4-7.54.1-2.5.mga6
libcurl4-7.54.1-2.4.mga6
php-curl-5.6.33-1.mga6
python3-curl-7.43.0-2.mga6

CC: (none) => mageia

Comment 5 David Walser 2018-01-28 18:46:17 CET
Debian has issued an advisory for this on January 26:
https://www.debian.org/security/2018/dsa-4098
Comment 6 Len Lawrence 2018-02-05 09:27:21 CET
@PC LX
Thanks for your very comprehensive testing of this update.  I am adding the 64-bit OK on your behalf.

You obviously know what you are doing, so it would be very helpful for other testers unversed in these matters if you could find the time to document your procedures, in simple terms if possible.

Looking at the links provided in the advisory it does not look as if any POCs are available.

Whiteboard: (none) => MGA6-64-OK
CC: (none) => tarazed25

Comment 7 Dave Hodgins 2018-02-06 05:16:37 CET
Advisory committed to svn. Validating the update.

Keywords: (none) => advisory, validated_update
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 8 Mageia Robot 2018-02-06 07:26:47 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0110.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.