Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 610572 (CVE-2017-2629)

Summary: <net-misc/curl-7.53.0: SSL_VERIFYSTATUS ignored
Product: Gentoo Security Reporter: Thomas Deutschmann (RETIRED) <whissi>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: blueness
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://curl.haxx.se/docs/adv_20170222.html
Whiteboard: A4 [glsa cve]
Package list:
=net-misc/curl-7.53.0
 Runtime testing required: ---

Description Thomas Deutschmann (RETIRED) gentoo-dev 2017-02-22 15:58:40 UTC 
From $URL:

curl and libcurl support "OCSP stapling", also known as the TLS Certificate Status Request extension (using the CURLOPT_SSL_VERIFYSTATUS option). When telling curl to use this feature, it uses that TLS extension to ask for a fresh proof of the server's certificate's validity. If the server doesn't support the extension, or fails to provide said proof, curl is expected to return an error.

Due to a coding mistake, the code that checks for a test success or failure, ends up always thinking there's valid proof, even when there is none or if the server doesn't support the TLS extension in question. Contrary to how it used to function and contrary to how this feature is documented to work.

This could lead to users not detecting when a server's certificate goes invalid or otherwise be mislead that the server is in a better shape than it is in reality.

This flaw also exists in the command line tool (--cert-status).

We are not aware of any exploit of this flaw.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2017-02-22 16:00:36 UTC 
@ Maintainer(s): Can we already start stabilization of =net-misc/curl-7.53.0?
Comment 2 Anthony Basile gentoo-dev 2017-02-22 23:28:08 UTC 
(In reply to Thomas Deutschmann from comment #1)
> @ Maintainer(s): Can we already start stabilization of =net-misc/curl-7.53.0?

Yes. KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
Comment 3 Michael Weber (RETIRED) gentoo-dev 2017-02-23 09:42:42 UTC 
ppc64 stable
Comment 4 Michael Weber (RETIRED) gentoo-dev 2017-02-23 10:46:41 UTC 
arm ppc stable.
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2017-02-23 11:47:47 UTC 
Stable for HPPA.
Comment 6 Agostino Sarubbo gentoo-dev 2017-02-23 15:56:02 UTC 
amd64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2017-02-23 16:31:30 UTC 
x86 stable
Comment 8 Agostino Sarubbo gentoo-dev 2017-02-25 10:06:00 UTC 
sparc stable
Comment 9 Tobias Klausmann (RETIRED) gentoo-dev 2017-02-28 11:25:17 UTC 
Stable on alpha.
Comment 10 Yury German Gentoo Infrastructure gentoo-dev 2017-03-07 21:40:37 UTC 
ia64 please complete stabilization.

GLSA Vote: Yes
Starting GLSA writing process.
Comment 11 Agostino Sarubbo gentoo-dev 2017-03-11 17:18:54 UTC 
ia64 stable.

Maintainer(s), please cleanup.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2017-03-28 02:52:01 UTC 
This issue was resolved and addressed in
 GLSA 201703-04 at https://security.gentoo.org/glsa/201703-04
by GLSA coordinator Yury German (BlueKnight).
Comment 13 Yury German Gentoo Infrastructure gentoo-dev 2017-03-28 02:53:11 UTC 
Re Opening for cleanup.
Maintainer(s), please drop the vulnerable version(s).
Comment 14 Yury German Gentoo Infrastructure gentoo-dev 2017-04-11 05:40:03 UTC 
Maintainer(s), please drop the vulnerable version(s).
Comment 15 Thomas Deutschmann (RETIRED) gentoo-dev 2017-06-04 12:41:55 UTC 
Cleanup PR: https://github.com/gentoo/gentoo/pull/4846
Comment 16 Thomas Deutschmann (RETIRED) gentoo-dev 2017-06-04 12:54:32 UTC 
Repository is now clean, all done.