729374 – (CVE-2020-8169, CVE-2020-8177) <net-misc/curl-7.71.0: Multiple vulnerabilities (CVE-2020-8169, CVE-2020-8177)

Bug 729374 (CVE-2020-8169, CVE-2020-8177) - <net-misc/curl-7.71.0: Multiple vulnerabilities (CVE-2020-8169, CVE-2020-8177)

Summary: <net-misc/curl-7.71.0: Multiple vulnerabilities (CVE-2020-8169, CVE-2020-8177)

Status:	RESOLVED FIXED

Alias:	CVE-2020-8169, CVE-2020-8177

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B3 [glsa+ cve]
Keywords:

Depends on:
Blocks:

Reported:	2020-06-24 07:01 UTC by John Helmert III
Modified:	2020-07-27 03:17 UTC (History)
CC List:	1 user (show)

See Also:	730416
Package list:	=net-misc/curl-7.71.0 amd64 arm arm64 hppa ppc ppc64 s390 sparc x86
Runtime testing required:	---

Flags:	nattka: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2020-06-24 07:01:02 UTC

CVE-2020-8169 (https://curl.haxx.se/docs/CVE-2020-8169.html):

libcurl can be tricked to prepend a part of the password to the host name before it resolves it, potentially leaking the partial password over the network and to the DNS server(s).

CVE-2020-8177 (https://curl.haxx.se/docs/CVE-2020-8177.html):

curl can be tricked my a malicious server to overwrite a local file when using -J (--remote-header-name) and -i (--head) in the same command line.

Both of these are fixed in cURL 7.71.0.

Comment 1 John Helmert III archtester

2020-06-24 07:02:14 UTC

Maintainer, please bump.

Comment 2 Sam James archtester

2020-06-28 14:00:36 UTC

Please let us know when ready to stable.

Comment 3 Anthony Basile gentoo-dev

2020-06-29 13:20:55 UTC

(In reply to Sam James (sec padawan) from comment #2)
> Please let us know when ready to stable.

It should be good to go.

KEYWORDS="amd64 arm arm64 hppa ppc ppc64 sparc x86"

Comment 4 Sam James archtester

2020-06-29 15:34:06 UTC

(In reply to Anthony Basile from comment #3)
> (In reply to Sam James (sec padawan) from comment #2)
> > Please let us know when ready to stable.
> 
> It should be good to go.
> 
> KEYWORDS="amd64 arm arm64 hppa ppc ppc64 sparc x86"

Excellent, thank you!

Comment 5 Mikle Kolyada (RETIRED) archtester

2020-06-29 16:01:06 UTC

amd64 stable

Comment 6 Rolf Eike Beer archtester

2020-06-29 20:53:56 UTC

sparc stable

Comment 7 Agostino Sarubbo gentoo-dev

2020-06-30 06:35:40 UTC

x86 stable

Comment 8 Agostino Sarubbo gentoo-dev

2020-07-02 06:29:01 UTC

arm stable

Comment 9 Agostino Sarubbo gentoo-dev

2020-07-02 06:30:53 UTC

ppc stable

Comment 10 Agostino Sarubbo gentoo-dev

2020-07-02 06:32:47 UTC

ppc64 stable

Comment 11 Rolf Eike Beer archtester

2020-07-02 17:16:20 UTC

hppa stable

Comment 12 Sam James archtester

2020-07-04 12:53:28 UTC

arm64 stable

----
@maintainer, please cleanup. Also see dependent bug.

Comment 13 Sam James archtester

2020-07-04 12:53:53 UTC

(In reply to Sam James (sec padawan) from comment #12)
> @maintainer, please cleanup. Also see dependent bug.

blocker

Comment 14 Anthony Basile gentoo-dev

2020-07-07 19:49:13 UTC

(In reply to Sam James (sec padawan) from comment #13)
> (In reply to Sam James (sec padawan) from comment #12)
> > @maintainer, please cleanup. Also see dependent bug.
> 
> blocker

Please read bug #730416 for more detail, but USE=quiche is stable masked on amd64.  So its available for ~amd64 but not for amd64 which is where the bug occurs.  It is a known issue and should not block stabilization.  I'm moving the blocker to "See Also".

Comment 15 Agostino Sarubbo gentoo-dev

2020-07-09 08:36:41 UTC

s390 stable.

Maintainer(s), please cleanup.
Security, please vote.

Comment 16 Sam James archtester

2020-07-26 16:00:36 UTC

(In reply to Anthony Basile from comment #14)
> (In reply to Sam James (sec padawan) from comment #13)
> > (In reply to Sam James (sec padawan) from comment #12)
> > > @maintainer, please cleanup. Also see dependent bug.
> > 
> > blocker
> 
> Please read bug #730416 for more detail, but USE=quiche is stable masked on
> amd64.  So its available for ~amd64 but not for amd64 which is where the bug
> occurs.  It is a known issue and should not block stabilization.  I'm moving
> the blocker to "See Also".

(Thank you)

GLSA vote: yes

Comment 17 GLSAMaker/CVETool Bot gentoo-dev

2020-07-26 23:55:07 UTC

This issue was resolved and addressed in
 GLSA 202007-16 at https://security.gentoo.org/glsa/202007-16
by GLSA coordinator Sam James (sam_c).

Comment 18 Sam James archtester

2020-07-27 01:15:36 UTC

(In reply to GLSAMaker/CVETool Bot from comment #17)
> This issue was resolved and addressed in
>  GLSA 202007-16 at https://security.gentoo.org/glsa/202007-16
> by GLSA coordinator Sam James (sam_c).

Reopening for cleanup.

Comment 19 Larry the Git Cow gentoo-dev

2020-07-27 03:15:39 UTC

The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f0cf742462897b3ddeb3705b7d606e0f98bf2c5e

commit f0cf742462897b3ddeb3705b7d606e0f98bf2c5e
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2020-07-27 02:33:27 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-07-27 03:15:18 +0000

    net-misc/curl: security cleanup
    
    Closes: https://bugs.gentoo.org/729374
    Package-Manager: Portage-3.0.0, Repoman-2.3.23
    Signed-off-by: Sam James <sam@gentoo.org>

 net-misc/curl/Manifest                      |   3 -
 net-misc/curl/curl-7.68.0.ebuild            | 265 ---------------------------
 net-misc/curl/curl-7.69.1.ebuild            | 265 ---------------------------
 net-misc/curl/curl-7.70.0-r1.ebuild         | 267 ----------------------------
 net-misc/curl/files/curl-fix-cpu-load.patch |  94 ----------
 5 files changed, 894 deletions(-)