CVE-2009-2417 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2417): lib/ssluse.c in cURL and libcurl 7.4 through 7.19.5, when OpenSSL is used, does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.
Created attachment 201459 [details, diff] http://curl.haxx.se/CVE-2009-2417/curl-7.19.5-CVE-2009-2417.patch Patch released. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2417
http://curl.haxx.se/docs/adv_20090812.html ... is the better resource (and the original advisory) - the problem is not restricted to the CN field alone which is why my advisory didn't say so. CVE-2009-2408 is the same bug but in another project (NSS). GnuTLS also had the problem.
(In reply to comment #2) > ... the problem is not > restricted to the CN field alone which is why my advisory didn't say so. > Thanks for the clarification. Maybe talk to the CVE people to have the description adapted. I'll prepare the bump as dragonheart is away.
Arches, please test and mark stable: =net-misc/curl-7.19.6 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
TESTDONE: 457 tests out of 459 reported OK: 99% TESTFAIL: These test cases failed: 20 507 TESTDONE: 534 tests were considered during 928 seconds. TESTINFO: 75 tests were skipped due to these restraints: TESTINFO: "no stunnel" 18 times (300, 301, 302, 303, 304, 305, 306, 309, 400, 401, 403, 404, 406, 407, 408, 409, 560, 1097) TESTINFO: "failed starting SSH server" 44 times (600, 601, 602, 603, 604, 605, 606, 607, 608, 609, 610, 611, 612, 613, 614, 615, 616, 617, 618, 619, 620, 621, 622, 623, 624, 625, 626, 627, 628, 629, 630, 631, 633, 634, 635, 636, 637, 700, 701, 702, 703, 706, 707, 2004) TESTINFO: "rlimit problem: fds needed 1050 > system limit 1024" 1 times (518) TESTINFO: "Resolving IPv6 'ip6-localhost' didn't work" 2 times (241, 1083) TESTINFO: "configured as DISABLED" 2 times (563, 564) TESTINFO: "curl lacks netrc_debug support" 6 times (130, 131, 132, 133, 134, 257) TESTINFO: "curl lacks OpenSSL support" 2 times (307, 308) make[1]: *** [quiet-test] Error 1 make[1]: Leaving directory `/var/tmp/portage/net-misc/curl-7.19.6/work/curl-7.19.6/tests' make: *** [test] Error 2 Portage 2.1.6.13 (default/linux/x86/2008.0/desktop, gcc-4.3.2, glibc-2.9_p20081201-r2, 2.6.30-gentoo-r4 i686) ================================================================= System uname: Linux-2.6.30-gentoo-r4-i686-Intel-R-_Core-TM-2_Duo_CPU_T8100_@_2.10GHz-with-gentoo-1.12.11.1 Timestamp of tree: Thu, 20 Aug 2009 07:30:01 +0000 distcc 3.1 i686-pc-linux-gnu [disabled] app-shells/bash: 3.2_p39 dev-java/java-config: 2.1.8-r1 dev-lang/python: 2.4.6, 2.5.4-r3, 2.6.2-r1 dev-python/pycrypto: 2.0.1-r8 dev-util/cmake: 2.6.4 sys-apps/baselayout: 1.12.11.1 sys-apps/sandbox: 1.6-r2 sys-devel/autoconf: 2.13, 2.63-r1 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.2 sys-devel/binutils: 2.18-r3 sys-devel/gcc-config: 1.4.1 sys-devel/libtool: 1.5.26 virtual/os-headers: 2.6.27-r2 ACCEPT_KEYWORDS="x86" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=i686 -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /opt/openfire/resources/security/ /opt/openjms/config /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/lib/fax /usr/share/config /var/lib/hsqldb /var/spool/fax/etc /var/spool/torque" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c /etc/udev/rules.d" CXXFLAGS="-O2 -march=i686 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="distlocks fixpackages parallel-fetch protect-owned sandbox sfperms strict unmerge-orphans userfetch userpriv" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo" LANG="en_EN.UTF8" LC_ALL="en_US.UTF-8" LDFLAGS="-Wl,-O1" LINGUAS="en" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="3dnow 3dnowext X a52 aac acl acpi alsa apache apache2 bash-completion berkdb bluetooth bootsplash branding bzip2 cairo cdr cdrom cli cracklib crypt css cups curl dbus directfb dri dts dvd dvdr dvi eds emacs emboss encode escreen esd evo fam fat fbcon fbcondecor ffmpeg firefox flac foomatic fortran gdbm gif gnome gpm gs gstreamer gtk hal iconv imlib ipv6 isdnlog jadetex java5 jpeg jpeg2k kde kpathsea laptop latex ldap libnotify libotf lm_sensors m17n-lib mad mikmod mmx mono mp3 mp4 mpeg mudflap musicbrainz ncurses nls nptl nptl-only nptlonly ntfs objc ogg opengl openmp openssh pam pcre pdf perl pmu png ppds pppd preview-latex python qt3 qt3support qt4 quicktime readline reflection reports sdl session smp spell spl sqlite sse ssl startup-notification svg svga sysfs t1lib tcpd test-framework tetex theora tiff tk toolkit-scroll-bars truetype unicode usb userlocales video vorbis win32codecs wmf x264 x86 xft xml xorg xpm xulrunner xv xvid zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="synaptics mouse keyboard" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en" LIRC_DEVICES="atiusb" USERLAND="GNU" VIDEO_CARDS="vesa fbdev intel" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Stable for HPPA.
ppc stable
x86 stable, my crappy provider does not provide the correct error for failing DNS queries
Stable on alpha.
arm/ia64/s390/sh/sparc stable
amd64 stable
ppc64: ping
ppc64 done
GLSA voting: YES
YES, request already filed.
GLSA 200909-20