curl announced on January 24th that the new version 7.24.0 contained fixes for these issues, both of which affect the version we have in Mageia 1. References: http://curl.haxx.se/docs/adv_20120124.html http://curl.haxx.se/docs/adv_20120124B.html
we need to add the patches instead of updating the version
CC: (none) => dmorganec
(In reply to comment #1) > we need to add the patches instead of updating the version Yes, of course. Patches are linked from the advisories (reproduced here): http://curl.haxx.se/curl-url-sanitize.patch http://curl.haxx.se/curl-dont-insert-empty-fragments.patch
Created attachment 1447 [details] re-diffed curl-url-sanitize.patch
Created attachment 1448 [details] re-diffed curl-dont-insert-empty-fragments.patch
I re-diffed the two patches from upstream and attached them. I also noticed that patch 9 in the SPEC, which was supposed to fix mga Bug 1813, was never actually applied.
CC: (none) => boklm
Created attachment 1449 [details] updated curl-url-sanitize.patch I don't see how the patch caused the build error, as the offending code was already there, but I fixed it in this updated patch.
curl built successfully locally for me with these patches. I can submit this to SVN and the build system if that's OK with you Nicolas. Could someone write an advisory?
Advisory: This security update for curl corrects the following CVEs. CVE-2012-0036 Dan Fandrich discovered that curl incorrectly handled URLs containing embedded or percent-encoded control characters. If a user or automated system were tricked into processing a specially crafted URL, arbitrary data could be injected. CVE-2011-3389 The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a "BEAST" attack.
CC: (none) => davidwhodgins
Addendum to the Advisory based on comment 3, In addition, libcurl failed to check the correct struct for HTTPS after CONNECT was issued to the proxy, so it didn't do the TLS handshake and subsequently failed the connection. A regression released in 7.21.5 (introduced around commit 8831000)
The package has been built and uploaded to updates_testing! Thanks to Dave Hodgins for the advisory. Advisory: ======================== Updated curl packages fix security vulnerabilities: Dan Fandrich discovered that curl incorrectly handled URLs containing embedded or percent-encoded control characters. If a user or automated system were tricked into processing a specially crafted URL, arbitrary data could be injected (CVE-2012-0036). The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a "BEAST" attack (CVE-2011-3389). In addition, libcurl failed to check the correct struct for HTTPS after CONNECT was issued to the proxy, so it didn't do the TLS handshake and subsequently failed the connection. A regression released in 7.21.5 (introduced around commit 8831000). An update was issued for this on June 30, 2011, but the patch was not applied. This has been corrected (Bug 1813). References: http://curl.haxx.se/docs/adv_20120124.html http://curl.haxx.se/docs/adv_20120124B.html ======================== Updated packages in core/updates_testing: ======================== curl-7.21.5-1.2.mga1 curl-examples-7.21.5-1.2.mga1 libcurl4-7.21.5-1.2.mga1 libcurl-devel-7.21.5-1.2.mga1 from curl-7.21.5-1.2.mga1.src.rpm
Assignee: bugsquad => qa-bugs
No PoC's. As these affect https and mail protocols, attempting those with curl. x86_64 Used: $ curl pop3://<login>:<password>@<mailhost>/1 to retrieve first email from pop3 $ curl imap://<login>:<password>@<mailhost> to do the same with imap $ curl https://<some-website.com> shows website source $ curl -l ftp://ftp.linuxcabal.org/pub/mirrors/Mageia/distrib/1/i586/media/core/updates_testing/ shows ftp directory listing $ curl -o curl.rpm ftp://ftp.linuxcabal.org/pub/mirrors/Mageia/distrib/1/i586/media/core/updates_testing/curl-7.21.5-1.2.mga1.i586.rpm downloads curl to curl.rpm with progress indication. All seems OK. Testing complete x86_64.
Testing complete on i586. Thanks for the detailed test procedure Claire. I had no idea curl had those options. Could someone from the sysadmin team push the srpm curl-7.21.5-1.2.mga1.src.rpm from Core Updates Testing to Core Updates Advisory: This security update for curl fixes the following security vulnerabilities: Dan Fandrich discovered that curl incorrectly handled URLs containing embedded or percent-encoded control characters. If a user or automated system were tricked into processing a specially crafted URL, arbitrary data could be injected (CVE-2012-0036). The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a "BEAST" attack (CVE-2011-3389). In addition, libcurl failed to check the correct struct for HTTPS after CONNECT was issued to the proxy, so it didn't do the TLS handshake and subsequently failed the connection. A regression released in 7.21.5 (introduced around commit 8831000). An update was issued for this on June 30, 2011, but the patch was not applied. This has been corrected (Bug 1813). References: http://curl.haxx.se/docs/adv_20120124.html http://curl.haxx.se/docs/adv_20120124B.html https://bugs.mageia.org/show_bug.cgi?id=4307
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
update pushed
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED
CC: boklm => (none)