Bug 23789 - curl new security issues CVE-2018-16839, CVE-2018-1684[02], CVE-2018-16890, CVE-2019-382[23], CVE-2019-543[56], CVE-2019-548[12]
Summary: curl new security issues CVE-2018-16839, CVE-2018-1684[02], CVE-2018-16890, C...
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-10-31 10:54 CET by David Walser
Modified: 2019-11-30 14:07 CET (History)
7 users (show)

See Also:
Source RPM: curl-7.64.1-1.mga7.src.rpm
CVE: CVE-2019-543[56], CVE-2019-548[12]
Status comment:


Attachments

Description David Walser 2018-10-31 10:54:50 CET
Upstream has released cURL 7.62.0 today (October 31):
https://curl.haxx.se/changes.html#7_62_0

It fixes three security issues:
https://curl.haxx.se/docs/CVE-2018-16839.html
https://curl.haxx.se/docs/CVE-2018-16840.html
https://curl.haxx.se/docs/CVE-2018-16842.html

Mageia 6 is also affected by the first and third issues.  Patches are linked from the upstream advisories.
David Walser 2018-10-31 10:55:00 CET

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2018-11-01 07:06:19 CET
Assigning to the registered maintainer.

Assignee: bugsquad => shlomif
CC: (none) => marja11

Comment 2 David Walser 2018-11-08 17:45:34 CET
Debian has issued an advisory for this on November 2:
https://www.debian.org/security/2018/dsa-4331
Comment 3 David Walser 2019-01-01 01:46:10 CET
Shlomi updated to 7.62.0 in Cauldron.

Whiteboard: MGA6TOO => (none)
Version: Cauldron => 6

Comment 4 David Walser 2019-01-28 01:54:22 CET
Fedora says wget's CVE-2018-20483 also affects curl:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/AMBI4JRD6CXI7BO7EF3SHBEPARNL4ZBQ/
Comment 5 David Walser 2019-02-07 17:46:21 CET
cURL 7.64.0 has been released on February 6, fixing more security issues:
https://curl.haxx.se/changes.html#7_64_0
https://curl.haxx.se/docs/CVE-2018-16890.html
https://curl.haxx.se/docs/CVE-2019-3822.html
https://curl.haxx.se/docs/CVE-2019-3823.html

Shlomi updated it in Cauldron.

Summary: curl new security issues CVE-2018-16839 and CVE-2018-1684[02] => curl new security issues CVE-2018-16839, CVE-2018-1684[02], CVE-2018-16890, CVE-2019-382[23]

Comment 6 David Walser 2019-02-10 19:33:48 CET
Debian has issued an advisory for this on February 6:
https://www.debian.org/security/2019/dsa-4386
Comment 7 David Walser 2019-05-22 13:20:44 CEST
cURL 7.65.0 has been released today (May 22), fixing two security issues:
https://curl.haxx.se/changes.html#7_65_0
https://curl.haxx.se/docs/CVE-2019-5435.html
https://curl.haxx.se/docs/CVE-2019-5436.html

CVE-2019-5435 only affects Cauldron, CVE-2019-5436 also affects Mageia 6.

Summary: curl new security issues CVE-2018-16839, CVE-2018-1684[02], CVE-2018-16890, CVE-2019-382[23] => curl new security issues CVE-2018-16839, CVE-2018-1684[02], CVE-2018-16890, CVE-2019-382[23], CVE-2019-5436

Comment 8 David Walser 2019-05-31 20:33:54 CEST
Shlomi built 7.65.0 in updates_testing but it never got moved to release.

Version: 6 => Cauldron
Whiteboard: (none) => MGA7TOO, MGA6TOO

Comment 9 David Walser 2019-08-11 21:39:26 CEST
Ubuntu advisory for the most recent CVEs, from May 22:
https://usn.ubuntu.com/3993-1/
Comment 10 David Walser 2019-09-11 12:27:21 CEST
cURL 7.66.0 has been released today (September 11), fixing two security issues:
https://curl.haxx.se/changes.html#7_66_0
https://curl.haxx.se/docs/CVE-2019-5481.html
https://curl.haxx.se/docs/CVE-2019-5482.html

Mageia 6 and Mageia 7 are also affected.

Summary: curl new security issues CVE-2018-16839, CVE-2018-1684[02], CVE-2018-16890, CVE-2019-382[23], CVE-2019-5436 => curl new security issues CVE-2018-16839, CVE-2018-1684[02], CVE-2018-16890, CVE-2019-382[23], CVE-2019-5436, CVE-2019-548[12]

Comment 11 David Walser 2019-11-12 20:32:34 CET
RedHat has issued an advisory for some of these issues on November 5:
https://access.redhat.com/errata/RHSA-2019:3701

Assignee: shlomif => pkg-bugs
CC: (none) => shlomif

Comment 12 Nicolas Salguero 2019-11-13 10:39:25 CET
CVE-2018-16839, CVE-2018-1684[02], CVE-2018-16890, CVE-2019-382[23] already fixed in Mageia 7.

CC: (none) => nicolas.salguero

Comment 13 Nicolas Salguero 2019-11-13 10:41:16 CET
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

An integer overflow in curl's URL API results in a buffer overflow in libcurl 7.62.0 to and including 7.64.1. (CVE-2019-5435)

A heap buffer overflow in the TFTP receiving code allows for DoS or arbitrary code execution in libcurl versions 7.19.4 through 7.64.1. (CVE-2019-5436)

Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3. (CVE-2019-5481)

Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3. (CVE-2019-5482)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5435
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5436
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5481
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5482
https://curl.haxx.se/changes.html#7_65_0
https://curl.haxx.se/docs/CVE-2019-5435.html
https://curl.haxx.se/docs/CVE-2019-5436.html
https://curl.haxx.se/changes.html#7_66_0
https://curl.haxx.se/docs/CVE-2019-5481.html
https://curl.haxx.se/docs/CVE-2019-5482.html
https://usn.ubuntu.com/3993-1/
========================

Updated packages in core/updates_testing:
========================
curl-7.66.0-1.mga7
lib(64)curl4-7.66.0-1.mga7
lib(64)curl-devel-7.66.0-1.mga7
curl-examples-7.66.0-1.mga7

from SRPMS:
curl-7.66.0-1.mga7.src.rpm

Whiteboard: MGA7TOO, MGA6TOO => (none)
Version: Cauldron => 7
Status: NEW => ASSIGNED
Source RPM: curl-7.54.1-2.7.mga6.src.rpm => curl-7.64.1-1.mga7.src.rpm
Assignee: pkg-bugs => qa-bugs
Summary: curl new security issues CVE-2018-16839, CVE-2018-1684[02], CVE-2018-16890, CVE-2019-382[23], CVE-2019-5436, CVE-2019-548[12] => curl new security issues CVE-2018-16839, CVE-2018-1684[02], CVE-2018-16890, CVE-2019-382[23], CVE-2019-543[56], CVE-2019-548[12]
CVE: (none) => CVE-2019-543[56], CVE-2019-548[12]

Comment 14 Herman Viaene 2019-11-18 16:18:32 CET
MGA7-64 Plasma on Lenovo B50
No installation issues.
Found https://www.keycdn.com/support/popular-curl-examples with a series of examples:
$ curl https://www.keycdn.com
<!DOCTYPE html>
<html lang="en" prefix="og: http://ogp.me/ns#">
    <head>
        <meta charset="utf-8">
        <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
        <meta name="version" content="81d039956b90644e963c12544cddac4339380779">

        <title>KeyCDN - Content delivery made easy</title>
and a lot more
$ curl -I https://www.keycdn.com/
HTTP/2 200 
server: keycdn-engine
date: Mon, 18 Nov 2019 14:08:14 GMT
content-type: text/html
vary: Accept-Encoding
last-modified: Fri, 15 Nov 2019 23:51:32 GMT
etag: W/"5dcf3a04-13f5f"
expires: Mon, 25 Nov 2019 14:08:14 GMT
cache-control: max-age=604800
strict-transport-security: max-age=31536000; includeSubdomains; preload
content-security-policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' https: data:
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
referrer-policy: no-referrer-when-downgrade
x-cache: HIT
x-edge-location: nlam
access-control-allow-origin: *

The next commands in the site do not work anymore as the address cdn.keydn.com does not exist anymore.
Trying
$ curl -o myfile.css https://www.keycdn.com/css/animate.min.css
results in a decent looking html file created, but it contents  is "Error 404" as the site is changed since then.
The same goes for
$ curl -O https://cdn.keycdn.com/css/animate.min.css

example 5 I couldn't figure out what was added in the loooooong output.

$ curl -D - https://www.keycdn.com/ -o /dev/null
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0HTTP/2 200 
server: keycdn-engine
date: Mon, 18 Nov 2019 14:52:34 GMT
content-type: text/html
vary: Accept-Encoding
last-modified: Fri, 15 Nov 2019 23:51:32 GMT
etag: W/"5dcf3a04-13f5f"
expires: Mon, 25 Nov 2019 14:52:34 GMT
cache-control: max-age=604800
strict-transport-security: max-age=31536000; includeSubdomains; preload
content-security-policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' https: data:
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
referrer-policy: no-referrer-when-downgrade
x-cache: HIT
x-edge-location: nlam
access-control-allow-origin: *

100 81759    0 81759    0     0   654k      0 --:--:-- --:--:-- --:--:--  659k

From https://curl.haxx.se/docs/httpscripting.html I try
$ curl --trace-ascii d.txt --trace-time http://www.keycdn.com
The rsulting file contains a long list with time stamps.
and
$ curl --user me:mypasswd ftp://<mydesktop>/ 
list me the contents of the home directory.

Seems all well enough.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA7-64-OK

Comment 15 David Walser 2019-11-18 17:40:41 CET
There's no need to test curl itself as it has an extensive build-time test suite, but we do need to check something that uses libcurl to make sure updating curl didn't break it (as it has sometimes in the past).
Comment 16 Thomas Andrews 2019-11-22 15:34:24 CET
(In reply to David Walser from comment #15)
> There's no need to test curl itself as it has an extensive build-time test
> suite, but we do need to check something that uses libcurl to make sure
> updating curl didn't break it (as it has sometimes in the past).

"urpmq --whatrequires lib64curl4" contains "psensor" on the long list that results. It just so happens that I installed Psensor on my laptop months ago after installing an ssd. 

I checked Psensor before updating anything, and everything was working as it should as far as I can tell. After shutting Psensor down and using the QA Repo tool to update curl and lib64curl4, I checked again. Nothing was broken that I could see. 

Validating. Advisory in Comment 13.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2019-11-30 12:22:41 CET

CC: (none) => tmb
Keywords: (none) => advisory

Comment 17 Mageia Robot 2019-11-30 14:07:33 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0337.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.