Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 505864 (CVE-2014-0138) - <net-misc/curl-7.36.0: multiple vulnerabilities (CVE-2014-{0138,0139,1263,2522})
Summary: <net-misc/curl-7.36.0: multiple vulnerabilities (CVE-2014-{0138,0139,1263,2522})
Status: RESOLVED FIXED
Alias: CVE-2014-0138
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://curl.haxx.se/docs/security.html
Whiteboard: A3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-03-26 10:27 UTC by Agostino Sarubbo
Modified: 2014-06-22 13:29 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-03-26 10:27:27 UTC
libcurl wrong re-use of connections

Date:	March 26, 2014
ID	CVE-2014-0138 20140326A
Affected versions	from libcurl 7.10.6 to and including 7.35.0
Not affected versions	libcurl < 7.10.6 and >= 7.36.0	
Patch	libcurl-bad-reuse.patch


libcurl IP address wildcard certificate validation

Date:	March 26, 2014
ID	CVE-2014-0139 20140326B
Affected versions	from libcurl 7.1 to and including 7.35.0
Not affected versions	libcurl >= 7.36.0	
Patch	libcurl-reject-cert-ip-wildcards.patch


libcurl not verifying certs for TLS to IP address / Darwinssl

Date:	March 26, 2014
ID	CVE-2014-1263 20140326C
Affected versions	from libcurl 7.27.0 to and including 7.35.0
Not affected versions	libcurl < 7.27.0 and >= 7.36.0	
Patch	commit afc6e5004fabee


libcurl not verifying certs for TLS to IP address / Winssl

Date:	March 26, 2014
ID	CVE-2014-2522 20140326D
Affected versions	from libcurl 7.27.0 to and including 7.35.0
Not affected versions	libcurl < 7.27.0 and >= 7.36.0	
Patch	commit 63fc8ee7be2b71
Comment 1 Anthony Basile gentoo-dev 2014-03-26 12:57:34 UTC
Is there any in-tree version that is not affected?
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2014-03-26 15:28:37 UTC

Anthony here is the detailed information:

CVE-2014-0138
http://curl.haxx.se/docs/adv_20140326A.html
Affected versions	from libcurl 7.10.6 to and including 7.35.0
Not affected versions	libcurl < 7.10.6 and >= 7.36.0
Patch for Version:	http://curl.haxx.se/libcurl-bad-reuse.patch

CVE-2014-0139
http://curl.haxx.se/docs/adv_20140326B.html
Affected versions	from libcurl 7.1 to and including 7.35.0
Not affected versions	libcurl >= 7.36.0
Patch for Versions:	http://curl.haxx.se/libcurl-reject-cert-ip-wildcards.patch

CVE-2014-1263
http://curl.haxx.se/docs/adv_20140326C.html
Affected versions	from libcurl 7.27.0 to and including 7.35.0
Not affected versions	libcurl < 7.27.0 and >= 7.36.0

CVE-2014-2522
http://curl.haxx.se/docs/adv_20140326D.html
Affected versions	from libcurl 7.27.0 to and including 7.35.0
Not affected versions	libcurl < 7.27.0 and >= 7.36.0
Patch for Version:  https://github.com/bagder/curl/commit/63fc8ee7be2b71

Version not affected on all of them is 7.36.0
Comment 3 Jack Suter 2014-04-02 00:34:09 UTC
Just an FYI to anyone watching this bug without watching portage, an ebuild for 7.36.0 is available but still needs to be stabilized.
Comment 4 Anthony Basile gentoo-dev 2014-04-02 15:44:44 UTC
(In reply to Jack Suter from comment #3)
> Just an FYI to anyone watching this bug without watching portage, an ebuild
> for 7.36.0 is available but still needs to be stabilized.

Okay let's start stabilization:

TARGET = "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2014-04-02 16:17:39 UTC
(In reply to Anthony Basile from comment #4)
> (In reply to Jack Suter from comment #3)
> > Just an FYI to anyone watching this bug without watching portage, an ebuild
> > for 7.36.0 is available but still needs to be stabilized.
> 
> Okay let's start stabilization:
> 
> TARGET = "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"

Stabilise what?
Comment 6 Anthony Basile gentoo-dev 2014-04-02 16:20:15 UTC
(In reply to Jeroen Roovers from comment #5)
> (In reply to Anthony Basile from comment #4)
> > (In reply to Jack Suter from comment #3)
> > > Just an FYI to anyone watching this bug without watching portage, an ebuild
> > > for 7.36.0 is available but still needs to be stabilized.
> > 
> > Okay let's start stabilization:
> > 
> > TARGET = "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
> 
> Stabilise what?

curl-7.36.0.  Its the latest version not affected by the above CVEs.
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2014-04-02 23:43:47 UTC
(In reply to Anthony Basile from comment #6)
> curl-7.36.0.  Its the latest version not affected by the above CVEs.

Next time, write separate valid atoms on separate lines. We agreed on this ages ago, since it's really hard and time-consuming to read through all the chatter to find what is supposed to be done. So do this:

=net-misc/curl-7.36.0

and everyone can see in an instant what you want.
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2014-04-03 14:41:08 UTC
Stable for HPPA.
Comment 9 Agostino Sarubbo gentoo-dev 2014-04-05 22:01:16 UTC
amd64 stable
Comment 10 Sergey Popov gentoo-dev 2014-04-07 09:17:23 UTC
arm stable
Comment 11 Agostino Sarubbo gentoo-dev 2014-04-12 09:33:43 UTC
x86 stable
Comment 12 Agostino Sarubbo gentoo-dev 2014-04-13 11:08:16 UTC
ppc stable
Comment 13 Agostino Sarubbo gentoo-dev 2014-04-21 10:50:45 UTC
alpha stable
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2014-04-29 20:13:23 UTC
CVE-2014-0139 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0139):
  cURL and libcurl 7.1 before 7.36.0, when using the OpenSSL, axtls, qsossl or
  gskit libraries for TLS, recognize a wildcard IP address in the subject's
  Common Name (CN) field of an X.509 certificate, which might allow
  man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted
  certificate issued by a legitimate Certification Authority.

CVE-2014-0138 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0138):
  The default configuration in cURL and libcurl 7.10.6 before 7.36.0 re-uses
  (1) SCP, (2) SFTP, (3) POP3, (4) POP3S, (5) IMAP, (6) IMAPS, (7) SMTP, (8)
  SMTPS, (9) LDAP, and (10) LDAPS connections, which might allow
  context-dependent attackers to connect as other users via a request, a
  similar issue to CVE-2014-0015.
Comment 15 Agostino Sarubbo gentoo-dev 2014-05-11 08:05:59 UTC
ppc64 stable
Comment 16 Agostino Sarubbo gentoo-dev 2014-05-13 15:21:36 UTC
ia64 stable
Comment 17 Agostino Sarubbo gentoo-dev 2014-05-14 16:11:39 UTC
sparc stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 18 Anthony Basile gentoo-dev 2014-05-14 16:52:45 UTC
(In reply to Agostino Sarubbo from comment #17)
> sparc stable.
> 
> Maintainer(s), please cleanup.
> Security, please add it to the existing request, or file a new one.

Done.
Comment 19 Yury German Gentoo Infrastructure gentoo-dev 2014-06-10 01:50:22 UTC
Arches and Maintainer(s), Thank you for your work.

New GLSA Request filed.
Comment 20 GLSAMaker/CVETool Bot gentoo-dev 2014-06-22 13:29:06 UTC
This issue was resolved and addressed in
 GLSA 201406-21 at http://security.gentoo.org/glsa/glsa-201406-21.xml
by GLSA coordinator Mikle Kolyada (Zlogene).