32599 – curl new security issues CVE-2023-4621[89]

Bug 32599 - curl new security issues CVE-2023-4621[89]

Summary: curl new security issues CVE-2023-4621[89]

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA8TOO MGA9-64-OK MGA8-32-OK MGA8-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2023-12-06 16:24 CET by Nicolas Salguero
Modified:	2023-12-13 20:34 CET (History)
CC List:	5 users (show)

See Also:
Source RPM:	curl-7.74.0-1.14.mga8.src.rpm,curl-7.88.1-3.1.mga9.src.rpm
CVE:	CVE-2023-46218, CVE-2023-46219
Status comment:	Advisory in comment#6

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2023-12-06 16:24:38 CET

cURL has issued advisories today (December 6):
https://curl.se/docs/CVE-2023-46218.html
https://curl.se/docs/CVE-2023-46219.html

The issues are fixed upstream in 8.5.0.

Fix for CVE-2023-46218: https://github.com/curl/curl/commit/2b0994c29a721c91c57
Fix for CVE-2023-46219: https://github.com/curl/curl/commit/73b65e94f3531179de45

Mageia 9 is also affected.

Nicolas Salguero 2023-12-06 16:25:44 CET

Whiteboard: (none) => MGA9TOO
Status comment: (none) => Patches available from upstream and fixed upstream in 8.5.0
Source RPM: (none) => curl-8.4.0-2.mga10.src.rpm

Comment 1 Dan Fandrich 2023-12-07 20:52:56 CET

Note that an upstream packaging snafu means that https://github.com/curl/curl/raw/master/tests/errorcodes.pl will need to be added to the source tree or "!1477" added to TEST_Q= in the %check section to skip that test. Or, wait for 8.5.1 which might be released in a few days.

CC: (none) => dan

Comment 2 Lewis Smith 2023-12-10 21:57:11 CET

Dan, is it OK to assign this to you as you did the Update to ver. 8.4.0 to fix CVEs, and clearly know this beast.

Assignee: bugsquad => dan

Comment 3 Dan Fandrich 2023-12-10 22:34:30 CET

Sure, I can take care of it tomorrow.

Status: NEW => ASSIGNED

Comment 4 Dan Fandrich 2023-12-12 00:22:48 CET

Updates have been pushed to Cauldron, mga8 and mga9.

Comment 5 katnatek 2023-12-12 02:23:02 CET Comment hidden (obsolete)

Advisory
################################################################

Updated curl packages fix vulnerabilities

References
################################################################
CVE-2023-46218
CVE-2023-46219

Packages in 8/core/updates_testing
################################################################
curl-7.74.0-1.15.mga8.x86_64.rpm
curl-examples-7.74.0-1.15.mga8.noarch.rpm
lib64curl-devel-7.74.0-1.15.mga8.x86_64.rpm
lib64curl4-7.74.0-1.15.mga8.x86_64.rpm

SRPMS
################################################################
curl-7.74.0-1.15.mga8


Packages in 8/core/updates_testing
################################################################
curl-7.88.1-3.3.mga9.x86_64.rpm
curl-examples-7.88.1-3.3.mga9.noarch.rpm
lib64curl-devel-7.88.1-3.3.mga9.x86_64.rpm
lib64curl4-7.88.1-3.3.mga9.x86_64.rpm

SRPMS
################################################################
curl-7.88.1-3.3.mga9

Assignee: dan => qa-bugs
Whiteboard: MGA9TOO => MGA9TOO MGA8TOO

Comment 6 katnatek 2023-12-12 02:26:38 CET

Advisory
################################################################

Updated curl packages fix vulnerabilities

References
################################################################
CVE-2023-46218
CVE-2023-46219

Packages in 8/core/updates_testing
################################################################
curl-7.74.0-1.15.mga8.x86_64.rpm
curl-examples-7.74.0-1.15.mga8.noarch.rpm
lib64curl-devel-7.74.0-1.15.mga8.x86_64.rpm
lib64curl4-7.74.0-1.15.mga8.x86_64.rpm

SRPMS
################################################################
curl-7.74.0-1.15.mga8


Packages in 9/core/updates_testing
################################################################
curl-7.88.1-3.3.mga9.x86_64.rpm
curl-examples-7.88.1-3.3.mga9.noarch.rpm
lib64curl-devel-7.88.1-3.3.mga9.x86_64.rpm
lib64curl4-7.88.1-3.3.mga9.x86_64.rpm

SRPMS
################################################################
curl-7.88.1-3.3.mga9

Source RPM: curl-8.4.0-2.mga10.src.rpm => curl-7.74.0-1.14.mga8.src.rpm,curl-7.88.1-3.1.mga9.src.rpm
Status comment: Patches available from upstream and fixed upstream in 8.5.0 => Advisory in comment#5

katnatek 2023-12-12 02:27:03 CET

Status comment: Advisory in comment#5 => Advisory in comment#6

Comment 7 katnatek 2023-12-12 03:47:20 CET

Tested on VM Mageia 8 i586

Packages updates from current version without issues
Download a file with curl without issues

Comment 8 katnatek 2023-12-12 03:58:02 CET

Tested on Real Hardware Mageia 9 x86_64

Packages updates from current version without issues
Install packages with urpmi using curl as downloader without issues

katnatek 2023-12-12 10:20:27 CET

Version: Cauldron => 9
Whiteboard: MGA9TOO MGA8TOO => MGA8TOO

Marja Van Waes 2023-12-12 11:26:15 CET

CVE: (none) => CVE-2023-46218, CVE-2023-46219
CC: (none) => marja11

Comment 9 Marja Van Waes 2023-12-12 12:31:51 CET

Advisory based on comment 6 and the changelog mails added to SVN. Please remove the "advisory" keyword if it needs to be changed. It also helps when obsolete advisories are tagged as "obsolete"

Keywords: (none) => advisory

Comment 10 Herman Viaene 2023-12-12 17:00:04 CET

MGA9-64 MATE on HP-Pavillion
No installation issues
Ref bug 32362 for testing
$ rm -f /tmp/cookiejar /tmp/out.html
$ curl -d name=yummy -d value=chocolate -d path=/ -b /tmp/cookiejar -c /tmp/cookiejar https://setcookie.net/ -o /tmp/out.html
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  4252  100  4219  100    33   9675     75 --:--:-- --:--:-- --:--:--  9752

$ curl -d name=yummy -d value=chocolate -d path=/ -b /tmp/cookiejar -c /tmp/cookiejar https://setcookie.net/ -o /tmp/out.html
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  4301  100  4268  100    33  20797    160 --:--:-- --:--:-- --:--:-- 21083

$ grep ' = ' /tmp/out.html
<li><code>yummy = chocolate</code></li>

Installed tor and get it running, then
$ curl -x socks5h://localhost:9050 https://ident.me
199.195.253.180[tester9@mach4 ~]$ 
[tester9@mach4 ~]$ curl https://ident.me
213.219.163.134[tester9@mach4 ~]$

Is OK.

CC: (none) => herman.viaene
Whiteboard: MGA8TOO => MGA8TOO MGA9-4-OK

Marja Van Waes 2023-12-12 22:35:34 CET

Whiteboard: MGA8TOO MGA9-4-OK => MGA8TOO MGA9-64-OK

Comment 11 Thomas Andrews 2023-12-13 01:05:22 CET

MGA8-64 Plasma in VirtualBox. No installation issues.

Made sure the tools in MCC were set to use curl, then went to drakrpm and installed a package that was known to have an update. No issues installing that package or its dependencies. Then I used MCC to get updates, which updated the previously installed package.

Looks OK here, too. Giving the OKs for MGA8 based on this test and on comment 7.

Validating.

Keywords: (none) => validated_update
Whiteboard: MGA8TOO MGA9-64-OK => MGA8TOO MGA9-64-OK MGA8-32-OK MGA8-64-OK
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 12 Mageia Robot 2023-12-13 20:34:51 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0345.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.