|Summary:||<net-misc/curl-7.51.0: Multiple vulnerabilities|
|Product:||Gentoo Security||Reporter:||Kristian Fiskerstrand <k_f>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Severity:||normal||CC:||bertrand, blueness, jer, kensington|
|Whiteboard:||A2 [glsa cve]|
|Package list:||Runtime testing required:||---|
|Bug Depends on:||581034, 603370|
Description Kristian Fiskerstrand 2016-10-22 10:07:46 UTC
An alert on the upcoming 7.51.0 release This message: [ Message body ] [ More options ] Related messages: [ Next message ] [ Previous message ] [ Next in thread ] [ Replies ] From: Daniel Stenberg <daniel_at_haxx.se> Date: Wed, 19 Oct 2016 00:30:38 +0200 (CEST) Hi friends, In two weeks time, on Wednesday November 2nd, we will release curl and libcurl 7.51.0 unless something earth shattering happens. This release will bundle no less than _eleven_ security advisories and their associated fixes (unless we get more reported in the time we have left). Each individual security issue will be documented in detail in their own advisories as usual and sent out as separate emails and get documented on the curl web site. Chances are big several of these affects your use of curl. We have never before handled anywhere close to this many security problems in a single release. We have notified both Apple and distros_at_openwall so the major distributions should be aware of what's coming. Merging eleven previously non-disclosed branches into master just before a release is not ideal but done so to minimize the security impact on existing users when the problems get known. My plan is to merge them all into master and push around 48 hours before release, watch the autobuilds closesly, have a few extra coverity scans done and then fix up what's found before the release. I will also prepare to do a follow-up patch release within the following week if we find serious enough problems in the shipped product.
Comment 1 Hanno Böck 2016-11-02 09:40:03 UTC
It's there: https://curl.haxx.se/changes.html#7_51_0 CVE-2016-8615: cookie injection for other servers CVE-2016-8616: case insensitive password comparison CVE-2016-8617: OOB write via unchecked multiplication CVE-2016-8618: double-free in curl_maprintf CVE-2016-8619: double-free in krb5 code CVE-2016-8620: glob parser write/read out of bounds CVE-2016-8621: curl_getdate read out of bounds CVE-2016-8622: URL unescape heap overflow via integer truncation CVE-2016-8623: Use-after-free via shared cookies CVE-2016-8624: invalid URL parsing with '#' CVE-2016-8625: IDNA 2003 makes curl use wrong host Maintainers, please bump to 7.51.0.
Comment 2 Anthony Basile 2016-11-02 22:36:20 UTC
(In reply to Hanno Boeck from comment #1) > > Maintainers, please bump to 7.51.0. Unfortunately its not an easy bump since curl-7.50.3 depended on libidn and curl-7.51.0 depends on libidn2. I'm getting the latter ready and hopefully we can rapid keyword/stabilize, or else just mask idn for now.
Comment 3 Jeroen Roovers 2016-11-03 12:43:26 UTC
Stable for HPPA PPC64.
Comment 4 Jeroen Roovers 2016-11-03 12:44:18 UTC
commit 802d574601a5cb10eb43aa715e9d030959004da7 Author: Jeroen Roovers <email@example.com> Date: Thu Nov 3 13:43:04 2016 +0100 net-misc/curl: Stable for HPPA PPC64 (bug #598856). Package-Manager: portage-2.3.2 RepoMan-Options: --ignore-arches I referred to the wrong bug, there.
Comment 5 Kristian Fiskerstrand 2016-11-04 08:33:52 UTC
This comment relates to CVE-2016-8625: IDNA 2003 makes curl use wrong host Using libidn2 is insufficient fix as there are potential for mismatches between IDNA 2003 and IDNA 2008 Upstream maintainer advice would suggest use.stable.masking idn for curl at the present time. http://www.openwall.com/lists/oss-security/2016/11/04/6: Date: Fri, 4 Nov 2016 08:27:43 +0100 (CET) From: Daniel Stenberg <daniel@...x.se>: I've suggested curl users to simply *disable* IDN completely in their builds now until we get something better done. To reduce the risk. There's no schedule or plan yet for when "something better" might be ready. I'll admit my energy level for this crap is very low.
Comment 6 Anthony Basile 2016-12-21 16:47:47 UTC
@teams: alpha arm64 hppa ia64 m68k s390 sh sparc You'll want to keyword and stabilize this package and its dependencies. Sorry you should probably have been added earlier. @prefix you may want to restore prefixes too.
Comment 7 Tobias Klausmann 2016-12-21 19:35:14 UTC
Stable on alpha.
Comment 8 Tobias Klausmann 2016-12-21 19:46:33 UTC
Also stable on amd64. Somehow O.o
Comment 9 Kristian Fiskerstrand 2016-12-21 19:50:10 UTC
(In reply to Anthony Basile from comment #6) > @teams: alpha arm64 hppa ia64 m68k s390 sh sparc You'll want to keyword and > stabilize this package and its dependencies. Sorry you should probably have > been added earlier. Please be advised that bug 603370 re security vuln in lover version than 7.52.0 supersedes this report
Comment 10 Anthony Basile 2016-12-21 20:15:27 UTC
(In reply to Kristian Fiskerstrand from comment #9) > (In reply to Anthony Basile from comment #6) > > @teams: alpha arm64 hppa ia64 m68k s390 sh sparc You'll want to keyword and > > stabilize this package and its dependencies. Sorry you should probably have > > been added earlier. > > Please be advised that bug 603370 re security vuln in lover version than > 7.52.0 supersedes this report I am aware, which is why I want the keywords at least in so I can forward migrate them.
Comment 11 Fabian Groffen 2016-12-22 08:36:49 UTC
Prefix keywords restored, x86-interix dropped.