Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 400799

Summary: <net-misc/curl-7.24.0 : SSL/TLS IV Selection Weakness and URL Sanitisation Vulnerability (CVE-2011-3389,CVE-2012-0036)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: angelos, gentoo, vapier
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://secunia.com/advisories/47690/
Whiteboard: A4 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 373235    

Description Agostino Sarubbo gentoo-dev 2012-01-25 20:02:00 UTC
From secunia security advisory at $URL:

Description:
1) A weakness within the SSL and TLS Initialization Vector (IV) selection exists when compiled to use OpenSSL and the SSL_OP_ALL bitmask is used.

For more information:
Microsoft Windows SSL/TLS Initialization Vector Selection Weakness
(https://secunia.com/advisories/46168/)

This vulnerability is reported in versions 7.10.6 through 7.23.1.

2) Input passed via the file path section of URLs related to the IMAP, POP3, and SMTP protocols is not properly sanitised before being used in protocol-specific code and can be exploited to e.g. inject control characters and cause a mail server to send or delete messages.

This vulnerability is reported in versions 7.20.0 through 7.23.1.


Solution:
Update to version 7.24.0.

Original Advisory:
http://curl.haxx.se/docs/adv_20120124B.html
http://curl.haxx.se/docs/adv_20120124.html
Comment 1 SpanKY gentoo-dev 2012-01-26 19:41:26 UTC
i've added 7.24.0 since there's a security issue ... hopefully Christoph doesn't mind
Comment 2 Agostino Sarubbo gentoo-dev 2012-01-26 19:50:58 UTC
Thanks Mike.


@angelos, is it ready to stabilize?
Comment 3 Christoph Mende (RETIRED) gentoo-dev 2012-01-26 20:56:38 UTC
26/073210 <@vapier> angelos: mind if i bump curl to 7.24.0 ?
26/073500 <@angelos> vapier: sure, go ahead
26/073803 -!- vapier [UserBah@nat/google/x-rsldjehppespqenp] has quit [Ping timeout: 272 seconds]
guess you missed it

anyway, good to go and thanks Mike
Comment 4 Sean Amoss (RETIRED) gentoo-dev Security 2012-01-27 04:52:43 UTC
Arches, please test and mark stable:
=net-misc/curl-7.24.0
Target KEYWORDS: "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Comment 5 Agostino Sarubbo gentoo-dev 2012-01-27 13:30:40 UTC
amd64 stable
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2012-01-28 17:26:14 UTC
Stable for HPPA.
Comment 7 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2012-01-29 12:23:05 UTC
x86 stable
Comment 8 Viorel Tabara 2012-01-31 16:53:35 UTC
*** Bug 401655 has been marked as a duplicate of this bug. ***
Comment 9 Brent Baude (RETIRED) gentoo-dev 2012-02-01 17:22:03 UTC
ppc done
Comment 10 Raúl Porcel (RETIRED) gentoo-dev 2012-02-04 15:31:30 UTC
alpha/arm/ia64/s390/sh/sparc stable
Comment 11 Brent Baude (RETIRED) gentoo-dev 2012-03-03 15:32:16 UTC
ppc64 done
Comment 12 Agostino Sarubbo gentoo-dev 2012-03-03 15:57:22 UTC
@security:

please vote
Comment 13 Tim Sammut (RETIRED) gentoo-dev 2012-03-03 20:09:23 UTC
Thanks, folks. GLSA Vote: yes.
Comment 14 Sean Amoss (RETIRED) gentoo-dev Security 2012-03-03 23:41:49 UTC
Added to existing GLSA request.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2012-03-06 01:29:59 UTC
This issue was resolved and addressed in
 GLSA 201203-02 at http://security.gentoo.org/glsa/glsa-201203-02.xml
by GLSA coordinator Sean Amoss (ackle).