Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 373235 (CVE-2011-2192)

Summary: <net-misc/curl-7.24.0: inappropriate GSSAPI delegation (CVE-2011-2192)
Product: Gentoo Security Reporter: Petr Pisar <petr.pisar>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: angelos
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://curl.haxx.se/docs/adv_20110623.html
Whiteboard: A3 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 369501, 400799    
Bug Blocks:    

Description Petr Pisar 2011-06-27 19:43:01 UTC
curl versions between 7.10.6 and 7.21.6 inclusive delegates client's kerberos ticket granting ticket to server silently which allows server to impersonate as client to any other GSS-authenticated service.

This vulnerability is public since 2011-06-23, and has been assigned CVE-2011-2192 identifier.

Upstream has released new version 7.21.7 fixing this flaw and provided separate patch <http://curl.haxx.se/curl-gssapi-delegation.patch> for easy securing older curl versions.

Users with non-forwardable tickets (/etc/krb5.conf, section libdefaults, option forwardable=no) are not vulnerable.
Comment 1 Tim Sammut (RETIRED) gentoo-dev 2011-06-28 03:49:12 UTC
Thank you for bug, Petr.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2011-07-10 01:05:18 UTC
CVE-2011-2192 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2192):
  The Curl_input_negotiate function in http_negotiate.c in libcurl 7.10.6
  through 7.21.6, as used in curl and other products, always performs
  credential delegation during GSSAPI authentication, which allows remote
  servers to impersonate clients via GSSAPI requests.
Comment 3 Christoph Mende (RETIRED) gentoo-dev 2011-07-20 19:59:26 UTC
fixed in .7 which I added to the tree today
Comment 4 Christoph Mende (RETIRED) gentoo-dev 2011-07-21 11:30:43 UTC
please make sure to stabilize -r0, -r1 contains some cross compilation changes that need more intensive testing first.
also see the blocking bug, c-ares-1.6 is required for curl-7.21
Comment 5 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-07-21 16:28:28 UTC
I took the liberty of stabilizing ahead of schedule, since I've been testing rdeps of bug 369501.

ppc/ppc64 done with =net-misc/curl-7.21.7
Comment 6 Christoph Mende (RETIRED) gentoo-dev 2011-07-22 17:25:00 UTC
this is getting slightly worse, 7.21.7 removed an empty header. so a couple of apps needs to be fixed by simply removing the header (bug 376007)
Comment 7 Sean Amoss (RETIRED) gentoo-dev Security 2012-01-14 17:11:38 UTC
Christoph, can we continue with stabilization of net-misc/curl-7.21.7? Thanks
Comment 8 Sean Amoss (RETIRED) gentoo-dev Security 2012-03-03 23:48:34 UTC
Fixed with =net-misc/curl-7.24.0

Adding to existing GLSA request.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2012-03-06 01:29:55 UTC
This issue was resolved and addressed in
 GLSA 201203-02 at http://security.gentoo.org/glsa/glsa-201203-02.xml
by GLSA coordinator Sean Amoss (ackle).