Hi, Those CVEs were announced here: https://www.openwall.com/lists/oss-security/2023/10/05/6 https://github.com/curl/curl/discussions/12026 They will be fixed in version 8.4.0, on October 11. Best regards, Nico.
Source RPM: (none) => curl-8.3.0-1.mga10.src.rpmCC: (none) => nicolas.salgueroWhiteboard: (none) => MGA9TOO, MGA8TOO
Again the CVE is worth reading. Assigning to Stig who has done the most recent version updates for curl.
Assignee: bugsquad => smelrorStatus comment: (none) => will be fixed in version 8.4.0, on October 11
I've bumped Cauldron to 8.4.0 & will work on mga8/9 now.
Status: NEW => ASSIGNEDAssignee: smelror => danCC: (none) => dan
Versions for mga8/9 are now available in updates_testing: mga9 x86_64 rpm list curl-7.88.1-3.2.mga9.x86_64.rpm curl-examples-7.88.1-3.2.mga9.noarch.rpm lib64curl4-7.88.1-3.2.mga9.x86_64.rpm lib64curl-devel-7.88.1-3.2.mga9.x86_64.rpm i586 rpm list curl-7.88.1-3.2.mga9.i586.rpm curl-examples-7.88.1-3.2.mga9.noarch.rpm libcurl4-7.88.1-3.2.mga9.i586.rpm libcurl-devel-7.88.1-3.2.mga9.i586.rpm srpm list curl-7.88.1-3.2.mga9.src.rpm mga8 x86_64 rpm list curl-7.74.0-1.14.mga8.x86_64.rpm curl-examples-7.74.0-1.14.mga8.noarch.rpm lib64curl4-7.74.0-1.14.mga8.x86_64.rpm lib64curl-devel-7.74.0-1.14.mga8.x86_64.rpm i586 rpm list curl-7.74.0-1.14.mga8.i586.rpm curl-examples-7.74.0-1.14.mga8.noarch.rpm libcurl4-7.74.0-1.14.mga8.i586.rpm libcurl-devel-7.74.0-1.14.mga8.i586.rpm srpm list curl-7.74.0-1.14.mga8.src.rpm
Regression testing procedures: The patches touch cookie handling and SOCKS5 handling. A simple SOCKS5 regression test can be run this way, by using tor as a SOCKS5 proxy server: 1. sudo urpmi tor 2. sudo systemctl start tor 3. sleep 120 # give tor a few minutes to warm up 4. curl -x socks5h://localhost:9050 https://ident.me 5. # that was your IP address via tor; compare that to your address w/o tor, 6. curl https://ident.me 7. sudo systemctl stop tor The two IP addresses will be different if curl went through the Tor SOCKS5 proxy as expected. As for cookie test, there is a PoC for the flaw in the Hacker One report at https://hackerone.com/reports/2148242 with instructions on testing it, but it requires compiling and running the PoC. A simpler regression test for basic cookie support in curl is as follows: 1. rm -f /tmp/cookiejar /tmp/out.html 2. curl -d name=yummy -d value=chocolate -d path=/ -b /tmp/cookiejar -c /tmp/cookiejar https://setcookie.net/ -o /tmp/out.html 3. curl -d name=yummy -d value=chocolate -d path=/ -b /tmp/cookiejar -c /tmp/cookiejar https://setcookie.net/ -o /tmp/out.html # exactly the same 4. grep grep ' = ' /tmp/out.html The grep command should show the line "<li><code>yummy = chocolate</code></li>" which indicates that a cookie was set by the server in step 2, then returned bck to the server by curl in step 3 3.
Whiteboard: MGA9TOO, MGA8TOO => MGA9TOO, MGA8TOO, has_procedureAssignee: dan => qa-bugs
Actually, replacing step 3 in the cookie test above with this: 3. curl -b /tmp/cookiejar -c /tmp/cookiejar https://setcookie.net/ -o /tmp/out.html provides a slightly more robust test, but it doesn't make a big difference.
Proposed security advisory text: ======================== Updated the curl package to fix two security vulnerabilities: curl/libcurl is vulnerable to a heap buffer overflow in its SOCKS5 support that could be exploited by a remote web server when curl is configured to use a SOCKS5 proxy with remote hostname resolution. libcurl is vulnerable to a cookie injection attack where a local attacker can inject cookies into certain vulnerable applications using libcurl. References: https://curl.se/docs/CVE-2023-38545.html https://curl.se/docs/CVE-2023-38546.html https://hackerone.com/reports/2187833 https://hackerone.com/reports/2148242 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38545 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38546 Updated packages in core/updates: (see above)
CVE: (none) => CVE-2023-38545, CVE-2023-38546Priority: Normal => High
CC: (none) => mageia
Advisory from Comment 6 with srpms from comment 3 uploaded. Please remove the "advisory" keyword if the advisory needs to be changed.
CC: (none) => marja11Keywords: (none) => advisory
curl-8.4.0-1.mga10. has landed in cauldron
Whiteboard: MGA9TOO, MGA8TOO, has_procedure => MGA8TOO, has_procedureVersion: Cauldron => 9
Installed and tested with out issues. System: Mageia 8, x86_64, Plasma DE, AMD Ryzen 5 5600G with Radeon Graphics. $ uname -a Linux jupiter 6.1.45-desktop-1.mga8 #1 SMP PREEMPT_DYNAMIC Fri Aug 11 22:01:56 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux Run tests before and after update no issues found in both. ==== BEFORE UPDATE ==== Testing curl-7.74.0-1.13.mga8 $ rpm -qa | grep curl.*7.74 | sort curl-7.74.0-1.13.mga8 lib64curl4-7.74.0-1.13.mga8 lib64curl-devel-7.74.0-1.13.mga8 libcurl4-7.74.0-1.13.mga8 ### SOCKS5 Proxy test $ curl -x socks5h://localhost:9050 https://ident.me ; echo 199.249.230.83 $ curl https://ident.me ; echo 79.169.7.129 ### SOCKS5 Proxy test PASSED ### Cookie test $ rm -f /tmp/cookiejar $ curl --silent -d name=yummy -d value=chocolate -d path=/ -b /tmp/cookiejar -c /tmp/cookiejar https://setcookie.net/ -o /tmp/out.html $ grep yummy /tmp/out.html <p>Received no cookies.</p><p class="success">Sent header: <code>Set-Cookie: yummy=chocolate; path=/</code></p> </article> <input name="name" id="name" required pattern="[A-Za-z0-9_\-]+" value="yummy" /> $ curl --silent -b /tmp/cookiejar -c /tmp/cookiejar https://setcookie.net/ -o /tmp/out.html $ grep yummy /tmp/out.html <li><code>yummy = chocolate</code></li> ### Cookie test PASSED ==== AFTER UPDATE ==== $ rpm -qa | grep curl.*7.74 | sort curl-7.74.0-1.14.mga8 lib64curl4-7.74.0-1.14.mga8 lib64curl-devel-7.74.0-1.14.mga8 libcurl4-7.74.0-1.14.mga8 ### Tor SOCKS5 Proxy test $ curl -x socks5h://localhost:9050 https://ident.me ; echo 185.220.102.252 $ curl https://ident.me ; echo 79.169.7.129 ### Tor SOCKS5 Proxy test PASSED ### Cookie test $ rm -f /tmp/cookiejar $ curl --silent -d name=yummy -d value=chocolate -d path=/ -b /tmp/cookiejar -c /tmp/cookiejar https://setcookie.net/ -o /tmp/out.html $ grep yummy /tmp/out.html <p>Received no cookies.</p><p class="success">Sent header: <code>Set-Cookie: yummy=chocolate; path=/</code></p> </article> <input name="name" id="name" required pattern="[A-Za-z0-9_\-]+" value="yummy" /> $ curl --silent -b /tmp/cookiejar -c /tmp/cookiejar https://setcookie.net/ -o /tmp/out.html $ grep yummy /tmp/out.html <li><code>yummy = chocolate</code></li> ### Cookie test PASSED
MGA9-64 Xfce on Acer Aspire 5253 No installation issues. Trying to follow Comment 4 above $ curl -x socks5h://localhost:9050 https://ident.me 192.42.116.187 $ curl https://ident.me 213.219.163.134 Looks OK. $ rm -f /tmp/cookiejar /tmp/out.html $ curl -d name=yummy -d value=chocolate -d path=/ -b /tmp/cookiejar -c /tmp/cookiejar https://setcookie.net/ -o /tmp/out.html % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 4252 100 4219 100 33 8931 69 --:--:-- --:--:-- --:--:-- 9008 $ curl -d name=yummy -d value=chocolate -d path=/ -b /tmp/cookiejar -c /tmp/cookiejar https://setcookie.net/ -o /tmp/out.html % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 4301 100 4268 100 33 10970 84 --:--:-- --:--:-- --:--:-- 11085 $ grep ' = ' /tmp/out.html <li><code>yummy = chocolate</code></li> OK according to Comment 4
Whiteboard: MGA8TOO, has_procedure => MGA8TOO, has_procedure, MGA8-64-OK, MGA9-64-OKCC: (none) => herman.viaene
Validating.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0288.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED