Summary: | <net-misc/curl-7.31.0 : URL decode buffer boundary flaw (CVE-2013-2174) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | blueness, gregkh, patrick, zerochaos |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://curl.haxx.se/mail/archive-2013-06/0047.html | ||
Whiteboard: | A2 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2013-06-22 21:00:38 UTC
7.31.0 is currently in the tree. Arches, please stabilize =net-misc/curl-7.31.0, target arches: alpha amd64 arm ppa ia64 ppc ppc64 s390 sh sparc x86. Thanks! (In reply to Chris Reffett from comment #2) > Arches, please stabilize =net-misc/curl-7.31.0, target arches: alpha amd64 > arm ppa ia64 ppc ppc64 s390 sh sparc x86. Thanks! Good idea. It seems to be working fine. (In reply to Chris Reffett from comment #2) > Arches, please stabilize =net-misc/curl-7.31.0, target arches: alpha amd64 > arm ppa ia64 ppc ppc64 s390 sh sparc x86. Thanks! the arch teams were never cc-ed (In reply to Anthony Basile from comment #4) > (In reply to Chris Reffett from comment #2) > > Arches, please stabilize =net-misc/curl-7.31.0, target arches: alpha amd64 > > arm ppa ia64 ppc ppc64 s390 sh sparc x86. Thanks! > > the arch teams were never cc-ed stable ppc ppc64 amd64 stable alpha stable sparc stable x86 stable arm stable CVE-2013-2174 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2174): Heap-based buffer overflow in the curl_easy_unescape function in lib/escape.c in cURL and libcurl 7.7 through 7.30.0 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted string ending in a "%" (percent) character. s390 stable sh stable Added to existing GLSA draft (In reply to Sergey Popov from comment #14) > Added to existing GLSA draft Should I be removing <net-misc/curl-7.31.0 yet? Yes please. (In reply to Chris Reffett from comment #16) > Yes please. Massive cleanup! *** Bug 489852 has been marked as a duplicate of this bug. *** Stable for HPPA. And another one. (In reply to Chris Reffett from comment #16) > Yes please. No, it wasn't stable on ia64 and autobuilds got broken. Please be more careful people, I have restored curl-7.30.0. *** Bug 490336 has been marked as a duplicate of this bug. *** (In reply to Rick Farina (Zero_Chaos) from comment #21) > (In reply to Chris Reffett from comment #16) > > Yes please. > > No, it wasn't stable on ia64 and autobuilds got broken. > > Please be more careful people, I have restored curl-7.30.0. You should have dropped the keywords on 7.30.0 from KEYWORDS="alpha amd64 arm hppa ia64 ~mips ppc ppc64 s390 sh sparc x86 ~ppc-aix ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~x64-freebsd ~x86-freebsd ~hppa-hpux ~ia64-hpux ~x86-interix ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" to KEYWORDS="ia64" since we only need it for that arch. I'll commit this change if there are no objectins. (In reply to Anthony Basile from comment #23) > You should have dropped the keywords on 7.30.0 from > > KEYWORDS="alpha amd64 arm hppa ia64 ~mips ppc ppc64 s390 sh sparc x86 > ~ppc-aix ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~x64-freebsd ~x86-freebsd > ~hppa-hpux ~ia64-hpux ~x86-interix ~amd64-linux ~arm-linux ~x86-linux > ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris > ~x64-solaris ~x86-solaris" > > to > > KEYWORDS="ia64" no objections, but due to visibility this makes pretty much no difference as portage is going to take the higher stable version anyway. In reality it is not common practice to remove keywords from an older ebuild as they are added stable to the newer one, even if it is a security bug. (In reply to Rick Farina (Zero_Chaos) from comment #24) > no objections, but due to visibility this makes pretty much no difference as > portage is going to take the higher stable version anyway. In reality it is > not common practice to remove keywords from an older ebuild as they are > added stable to the newer one, even if it is a security bug. True, but another way would be masking on every arch and unmask on ia64. I think this keywording trick is better for this case. ia64 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one. Added to existing GLSA draft. Pleaser remove vulnerable versions (cleanup) (In reply to Yury German from comment #27) > Added to existing GLSA draft. > > Pleaser remove vulnerable versions (cleanup) <net-misc/curl-7.31.0 is off the tree. This issue was resolved and addressed in GLSA 201401-14 at http://security.gentoo.org/glsa/glsa-201401-14.xml by GLSA coordinator Sergey Popov (pinkbyte). |