Bug 30352 - curl new security issues CVE-2022-22576, CVE-2022-2777[4-6]
Summary: curl new security issues CVE-2022-22576, CVE-2022-2777[4-6]
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2022-04-29 22:08 CEST by Nicolas Salguero
Modified: 2022-05-02 21:45 CEST (History)
5 users (show)

See Also:
Source RPM: curl-7.74.0-1.4.mga8.src.rpm
CVE:
Status comment:


Attachments

Comment 1 Nicolas Salguero 2022-04-29 22:32:30 CEST
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

OAUTH2 bearer bypass in connection re-use. (CVE-2022-22576)

Credential leak on redirect. (CVE-2022-27774)

Bad local IPv6 connection reuse. (CVE-2022-27775)

Auth/cookie leak on redirect. (CVE-2022-27776)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22576
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27774
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27775
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27776
https://curl.se/docs/CVE-2022-22576.html
https://curl.se/docs/CVE-2022-27774.html
https://curl.se/docs/CVE-2022-27775.html
https://curl.se/docs/CVE-2022-27776.html
https://ubuntu.com/security/notices/USN-5397-1
========================

Updated packages in core/updates_testing:
========================
curl-7.74.0-1.5.mga8
curl-examples-7.74.0-1.5.mga8
lib(64)curl4-7.74.0-1.5.mga8
lib(64)curl-devel-7.74.0-1.5.mga8

from SRPM:
curl-7.74.0-1.5.mga8.src.rpm

Source RPM: (none) => curl-7.74.0-1.4.mga8.src.rpm
Status: NEW => ASSIGNED
CC: (none) => nicolas.salguero
Assignee: bugsquad => qa-bugs

Comment 2 Herman Viaene 2022-04-30 15:16:31 CEST
MGA8-64 Plasma on Lenovo B50 in Dutch
No installation issues.
Ref bug 29461 for tests:
$ curl https://www.keycdn.com
<!doctype html><html lang=en prefix="og: http://ogp.me/ns#"><head><meta charset=utf-8><meta name=viewport content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta name=version content="832422ebc22a4718adc64fdf0cad4375f39e93af"><title>KeyCDN - Content delivery made easy</title><meta name=description content="KeyCDN is a high performance content delivery network (CDN). Our global network will deliver any digital content, such as a website, software, or game, at a blazing fast speed."><meta name=twitter:card content="summary_large_image"><meta name=twitter:site content="@KeyCDN"><meta name=twitter:creator content="@KeyCDN"><meta property="og:url" content="https://www.keycdn.com"><meta property="og:type" content="website"><meta property="og:title" content="KeyCDN - Content delivery made easy"><meta property="og:description" content="KeyCDN is a high performance content delivery network (CDN). Our global network will deliver any digital content, such as a website, software, or game, at a blazing fast speed."><meta property="og:image" content="https://www.keycdn.com/img/og-image.png"><meta property="og:site_name" content="KeyCDN"><meta property="og:locale" content="en_US"><meta name=theme-color content="#047aed"><link rel=apple-touch-icon sizes=180x180 href=/img/favicon/apple-touch-icon.png><link rel=icon type=image/png sizes=32x32 href=/img/favicon/favicon-32x32.png><link rel=icon type=image/png sizes=16x16 href=/img/favicon/favicon-16x16.png><link rel=manifest href=/img/favicon/manifest.json><link rel=mask-icon href=/img/favicon/safari-pinned-tab.svg color=#047aed><link rel="shortcut icon" href=/img/favicon/favicon.ico><link rel=stylesheet href=/css/style-ad15156094.css></head><body><nav id=navbar class="navbar navbar--static navbar-expand-md bg-primary navbar-dark"><div class=container><a href=/ class="navbar-brand mr-lg-5"><svg xmlns="http://www.w3.org/2000/svg" id="logo-w
etc.......

$ curl -I https://www.keycdn.com/keycdn.com/
HTTP/2 301 
server: keycdn-engine
date: Sat, 30 Apr 2022 13:10:22 GMT
content-type: text/html
content-length: 162
location: https://www.keycdn.com/keycdn.com
expires: Sat, 07 May 2022 13:10:22 GMT
cache-control: max-age=604800
strict-transport-security: max-age=31536000; includeSubdomains; preload
content-security-policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' https: data:
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
referrer-policy: no-referrer-when-downgrade
x-cache: MISS
x-edge-location: nlam
access-control-allow-origin: *

$ curl -o myfile.css https://www.keycdn.com/css/animate.min.css
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1438  100  1438    0     0  11234      0 --:--:-- --:--:-- --:--:-- 11234

$ curl -v https://geekflare.com
*   Trying 172.67.70.213:443...
* Connected to geekflare.com (172.67.70.213) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/pki/tls/certs/ca-bundle.crt
*  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; ST=California; L=San Francisco; O=Cloudflare, Inc.; CN=sni.cloudflaressl.com
*  start date: Jul  8 00:00:00 2021 GMT
*  expire date: Jul  7 23:59:59 2022 GMT
*  subjectAltName: host "geekflare.com" matched cert's "geekflare.com"
*  issuer: C=US; O=Cloudflare, Inc.; CN=Cloudflare Inc ECC CA-3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x19f6b60)
> GET / HTTP/2
> Host: geekflare.com
> user-agent: curl/7.74.0
> accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 256)!
< HTTP/2 403 
< date: Sat, 30 Apr 2022 13:11:24 GMT
< content-type: text/plain; charset=UTF-8
< content-length: 16
< x-frame-options: SAMEORIGIN
< referrer-policy: same-origin
< cache-control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
< expires: Thu, 01 Jan 1970 00:00:01 GMT
< expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
< report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=lE%2BaSYiHb0%2BrJ1CK%2BP5uPgrrpH1gIJ%2FmSArVduXM4%2B4qg9oNKkSObsni0LaYtX2MtB0YyDaEUbdslxtTMZXdH3e4MBvJzt05Q%2FAfy5qE0abS53%2BhdrsN9fGJQ%2B06f18%3D"}],"group":"cf-nel","max_age":604800}
< nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
< strict-transport-security: max-age=15552000; preload
< x-content-type-options: nosniff
< server: cloudflare
< cf-ray: 704085e94ff4f969-BRU
< alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
< 
* Connection #0 to host geekflare.com left intact

Looks all OK as in previous test

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 3 Thomas Andrews 2022-05-02 02:48:44 CEST
Validating. Advisory in Comment 1.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2022-05-02 17:26:17 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 4 Mageia Robot 2022-05-02 21:45:46 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0159.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.