33020 – curl new security issues CVE-2024-2004, CVE-2024-2379, CVE-2024-2398 and CVE-2024-2466

Bug 33020 - curl new security issues CVE-2024-2004, CVE-2024-2379, CVE-2024-2398 and CVE-2024-2466

Summary: curl new security issues CVE-2024-2004, CVE-2024-2379, CVE-2024-2398 and CVE-...

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA9-64-OK, has_procedure
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2024-03-27 10:58 CET by Nicolas Salguero
Modified:	2024-03-29 04:50 CET (History)
CC List:	3 users (show)

See Also:
Source RPM:	curl-8.6.0-3.mga10.src.rpm
CVE:	CVE-2024-2004, CVE-2024-2379, CVE-2024-2398, CVE-2024-2466
Status comment:	Fixed upstream in 8.7.0 and patches available from upstream

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2024-03-27 10:58:10 CET

Those issues were announced here:
https://curl.se/docs/CVE-2024-2004.html
https://curl.se/docs/CVE-2024-2379.html
https://curl.se/docs/CVE-2024-2398.html
https://curl.se/docs/CVE-2024-2466.html

Mageia 9 is affected by CVE-2024-2004 and CVE-2024-2398.

Nicolas Salguero 2024-03-27 10:58:38 CET

Source RPM: (none) => curl-8.6.0-3.mga10.src.rpm
CVE: (none) => CVE-2024-2004, CVE-2024-2379, CVE-2024-2398, CVE-2024-2466
Whiteboard: (none) => MGA9TOO

Nicolas Salguero 2024-03-27 10:59:15 CET

Status comment: (none) => Fixed upstream in 8.7.0 and patches available from upstream

Comment 1 Lewis Smith 2024-03-27 20:11:11 CET

Assigning this to you, Dan, as you seem to be the principle maintainer of curl.

Assignee: bugsquad => dan

Comment 2 Dan Fandrich 2024-03-27 20:27:29 CET

I should probably make that official…

Status: NEW => ASSIGNED

Comment 3 Dan Fandrich 2024-03-27 20:37:38 CET

Only CVE-2024-2398 and CVE-2024-2004 apply to mga9 (ver. 7.88.1) as well as our package of 8.6.0 in Cauldron. I have a feeling there will a point release in a few days and since neither of them are high severity I'll hold off on updating Cauldron for the moment.

Comment 4 Dan Fandrich 2024-03-27 23:26:35 CET

I accidentally bumped the rel instead of the subrel, but curl-7.88.1-4.3.mga9 is now available in updates_testing (the rel bump shouldn't matter because cauldron is way ahead of this version).

Proposed advisory:

Patched curl/libcurl fixes security vulnerabilities

CVE-2024-2004: Usage of disabled protocol
If all protocols are disabled at run-time with none being added, curl/libcurl would still allow communication with the default set of allowed protocols, including some that are unencrypted.

CVE-2024-2398: HTTP/2 push headers memory-leak
A memory leak could occur when an application enabled HTTP/2 server push and the server sent a large number of headers.

References:
https://curl.se/docs/CVE-2024-2004.html
https://curl.se/docs/CVE-2024-2398.html

New RPMs:

- i586:
    curl-examples-7.88.1-4.3.mga9.noarch.rpm
    libcurl4-7.88.1-4.3.mga9.i586.rpm
    curl-7.88.1-4.3.mga9.i586.rpm
    libcurl-devel-7.88.1-4.3.mga9.i586.rpm
    curl-debugsource-7.88.1-4.3.mga9.i586.rpm
    curl-debuginfo-7.88.1-4.3.mga9.i586.rpm
    libcurl4-debuginfo-7.88.1-4.3.mga9.i586.rpm
- x86_64:
    curl-examples-7.88.1-4.3.mga9.noarch.rpm
    lib64curl-devel-7.88.1-4.3.mga9.x86_64.rpm
    lib64curl4-7.88.1-4.3.mga9.x86_64.rpm
    curl-7.88.1-4.3.mga9.x86_64.rpm
    curl-debuginfo-7.88.1-4.3.mga9.x86_64.rpm
    curl-debugsource-7.88.1-4.3.mga9.x86_64.rpm
    lib64curl4-debuginfo-7.88.1-4.3.mga9.x86_64.rpm
- armv7hl:
    libcurl-devel-7.88.1-4.3.mga9.armv7hl.rpm
    libcurl4-7.88.1-4.3.mga9.armv7hl.rpm
    curl-examples-7.88.1-4.3.mga9.noarch.rpm
    curl-7.88.1-4.3.mga9.armv7hl.rpm
    curl-debugsource-7.88.1-4.3.mga9.armv7hl.rpm
    curl-debuginfo-7.88.1-4.3.mga9.armv7hl.rpm
    libcurl4-debuginfo-7.88.1-4.3.mga9.armv7hl.rpm
- aarch64:
    lib64curl-devel-7.88.1-4.3.mga9.aarch64.rpm
    curl-examples-7.88.1-4.3.mga9.noarch.rpm
    lib64curl4-7.88.1-4.3.mga9.aarch64.rpm
    curl-7.88.1-4.3.mga9.aarch64.rpm
    curl-debuginfo-7.88.1-4.3.mga9.aarch64.rpm
    lib64curl4-debuginfo-7.88.1-4.3.mga9.aarch64.rpm
    curl-debugsource-7.88.1-4.3.mga9.aarch64.rpm
- source:
    curl-7.88.1-4.3.mga9.src.rpm


Test procedure for CVE-2024-2004:

Run:
  curl --no-progress-meter --proto -all http://curl.se
The result should be:
  curl: (1) Protocol "http" disabled
If the result is no output, curl is buggy.

I'm not aware of an easy test procedure for CVE-2024-2398.

Whiteboard: MGA9TOO => MGA9TOO, has_procedure
QA Contact: security => qa-bugs

katnatek 2024-03-27 23:42:43 CET

Keywords: (none) => advisory

katnatek 2024-03-27 23:45:43 CET

Assignee: dan => qa-bugs
QA Contact: qa-bugs => security

Comment 5 katnatek 2024-03-27 23:49:22 CET

RH mageia 9 x86_64

Before the update

curl --no-progress-meter --proto -all http://curl.se

Produce empty output

LC_ALL=C urpmi --auto --auto-update 
medium "QA Testing (32-bit)" is up-to-date
medium "QA Testing (64-bit)" is up-to-date
medium "Core Release (distrib1)" is up-to-date
medium "Core Updates (distrib3)" is up-to-date
medium "Nonfree Release (distrib11)" is up-to-date
medium "Nonfree Updates (distrib13)" is up-to-date
medium "Tainted Release (distrib21)" is up-to-date
medium "Tainted Updates (distrib23)" is up-to-date
medium "Core 32bit Release (distrib31)" is up-to-date
medium "Core 32bit Updates (distrib32)" is up-to-date
medium "Nonfree 32bit Release (distrib36)" is up-to-date
medium "Tainted 32bit Release (distrib41)" is up-to-date
medium "Tainted 32bit Updates (distrib42)" is up-to-date

installing lib64curl4-7.88.1-4.3.mga9.x86_64.rpm lib64curl-devel-7.88.1-4.3.mga9.x86_64.rpm curl-7.88.1-4.3.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/3: lib64curl4            ##################################################################################################
      2/3: lib64curl-devel       ##################################################################################################
      3/3: curl                  ##################################################################################################
      1/3: removing lib64curl-devel-1:7.88.1-3.3.mga9.x86_64
                                 ##################################################################################################
      2/3: removing curl-1:7.88.1-3.3.mga9.x86_64
                                 ##################################################################################################
      3/3: removing lib64curl4-1:7.88.1-3.3.mga9.x86_64
                                 ##################################################################################################

After the update

curl --no-progress-meter --proto -all http://curl.se
curl: (1) Protocol "http" not supported or disabled in libcurl

Comment 6 Herman Viaene 2024-03-28 17:00:13 CET

MGA9-64 Plasma Wayland on HP-Pavillion
No installation issues
Ref bug 32362 for testing and comment 5 above:
$   curl --no-progress-meter --proto -all http://curl.se
curl: (1) Protocol "http" not supported or disabled in libcurl
Tests as in bug 32362, but tor test omitted (not enough time)
$ curl -d name=yummy -d value=chocolate -d path=/ -b /tmp/cookiejar -c /tmp/cookiejar https://setcookie.net/ -o /tmp/out.html
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  4252  100  4219  100    33  11406     89 --:--:-- --:--:-- --:--:-- 11523

$ curl -d name=yummy -d value=chocolate -d path=/ -b /tmp/cookiejar -c /tmp/cookiejar https://setcookie.net/ -o /tmp/out.html
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  4301  100  4268  100    33  23374    180 --:--:-- --:--:-- --:--:-- 23502

$ grep ' = ' /tmp/out.html
<li><code>yummy = chocolate</code></li>

Looks OK for me AFAICS

CC: (none) => herman.viaene

katnatek 2024-03-28 18:41:57 CET

CC: (none) => andrewsfarm

katnatek 2024-03-28 18:42:35 CET

Whiteboard: MGA9TOO, has_procedure => MGA9-64-OK, has_procedure
Version: Cauldron => 9

Comment 7 Thomas Andrews 2024-03-28 19:04:38 CET

Validating.

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

Comment 8 Mageia Robot 2024-03-29 04:50:13 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0099.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.