Bug 626776 (CVE-2017-1000099, CVE-2017-1000100, CVE-2017-1000101)

Summary:	<net-misc/curl-7.55.1: Multiple vulnerabilities
Product:	Gentoo Security	Reporter:	Kristian Fiskerstrand (RETIRED) <k_f>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	blueness
Priority:	Normal	Flags:	stable-bot: sanity-check+
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://curl.haxx.se/docs/adv_20170809A.html
Whiteboard:	A4 [glsa cve]
Package list:	net-misc/curl-7.55.1	Runtime testing required:	---
Bug Depends on:	629562
Bug Blocks:	615870, 615994

Description Kristian Fiskerstrand (RETIRED) gentoo-dev

2017-08-01 11:36:25 UTC

*** EMBARGOED CRD 2017-08-09 ***
Curl 7.55.0 will be released on August 9th containing fixes for multiple vulnerabilities.

Comment 1 Kristian Fiskerstrand (RETIRED) gentoo-dev

2017-08-09 07:14:16 UTC

https://curl.haxx.se/docs/adv_20170809A.html
https://curl.haxx.se/docs/adv_20170809B.html
https://curl.haxx.se/docs/adv_20170809C.html

Comment 2 Kristian Fiskerstrand (RETIRED) gentoo-dev

2017-08-09 07:18:01 UTC

CVE-2017-1000101 curl: URL globbing out of bounds read 
CVE-2017-1000100 curl: TFTP sends more than buffer size 
CVE-2017-1000099 curl: FILE buffer read out of bounds

Comment 3 Anthony Basile gentoo-dev

2017-08-10 10:06:49 UTC

Its in the tree.  KEYWORDS for stable arches are "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"

Comment 4 Sergei Trofimovich (RETIRED) gentoo-dev

2017-08-11 22:13:52 UTC

ia64 stable

Comment 5 Richard Freeman gentoo-dev

2017-08-19 20:55:02 UTC

amd64 stable

Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev

2017-08-20 16:59:46 UTC

x86 stable

Comment 7 Markus Meier gentoo-dev

2017-08-23 04:57:26 UTC

arm stable

Comment 8 Matt Turner gentoo-dev

2017-08-25 22:35:10 UTC

alpha stable

Comment 9 Anthony Basile gentoo-dev

2017-09-02 02:17:45 UTC

i had to stabilize 7.55.1 on ppc because of bug #629562.

Comment 10 Anthony Basile gentoo-dev

2017-09-02 02:22:22 UTC

stable on ppc64

Comment 11 Aaron Bauman (RETIRED) gentoo-dev

2017-09-02 02:23:38 UTC

CC'ing arches again for 7.55.1

Comment 12 Sergei Trofimovich (RETIRED) gentoo-dev

2017-09-02 11:21:32 UTC

ia64 stable

Comment 13 Aaron Bauman (RETIRED) gentoo-dev

2017-09-02 22:09:24 UTC

amd64/x86 stable

Comment 14 Tobias Klausmann (RETIRED) gentoo-dev

2017-09-03 20:26:56 UTC

Stable on alpha.

Comment 15 Yury German Gentoo Infrastructure

2017-09-03 21:17:35 UTC

GLSA Vote: Yes
New GLSA Request filed.

All remaining arches (sparc / arm / hppa) are not security supported. Please proceed with stabilization.

Comment 16 Yury German Gentoo Infrastructure

2017-09-03 22:58:00 UTC

Maintainer(s), please drop the vulnerable version(s).

Comment 17 Markus Meier gentoo-dev

2017-09-05 04:40:18 UTC

arm stable

Comment 18 Aaron Bauman (RETIRED) gentoo-dev

2017-09-10 22:20:22 UTC

sparc was dropped to exp.

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b5901d8f716555a1479f12313a2925fcadd177a9

Comment 19 Sergei Trofimovich (RETIRED) gentoo-dev

2017-09-11 07:55:14 UTC

hppa/sparc stable (thanks to Dakon)

All arches are done here.

Comment 20 Christopher Díaz Riveros (RETIRED) gentoo-dev

2017-09-11 13:52:20 UTC

(In reply to Anthony Basile from comment #10)
> stable on ppc64

Keywords for net-misc/curl:
          |                                 |   u   |  
          | a a         p   a     n r     s |   n   |  
          | l m   h i   p   r m m i i s   p | e u s | r
          | p d a p a p c x m i 6 o s 3   a | a s l | e
          | h 6 r p 6 p 6 8 6 p 8 s c 9 s r | p e o | p
          | a 4 m a 4 c 4 6 4 s k 2 v 0 h c | i d t | o
----------+---------------------------------+-------+-------
   7.53.0 | + + + + + + + + + ~ + o o + + + | 6 o 0 | gentoo
   7.53.1 | ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ o o ~ ~ ~ | 6 #   | gentoo
   7.54.0 | ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ o o ~ ~ ~ | 6 #   | gentoo
   7.54.1 | + + + ~ + + + + ~ ~ ~ o o ~ ~ + | 6 #   | gentoo
   7.55.0 | + + + ~ + o + + ~ ~ ~ o o ~ ~ ~ | 6 o   | gentoo
[I]7.55.1 | + + + + + + ~ + ~ ~ ~ o o ~ ~ + | 6 o   | gentoo

@Maintainer, could you please confirm that ppc64 is stable? I can't find any commit in the log about that. After that, we need to clean the tree.

Thank you,

Gentoo Security Padawan
ChrisADR

Comment 21 Anthony Basile gentoo-dev

2017-09-11 15:37:30 UTC

(In reply to Christopher Díaz from comment #20)
> (In reply to Anthony Basile from comment #10)
> > stable on ppc64
> 
> @Maintainer, could you please confirm that ppc64 is stable? I can't find any
> commit in the log about that. After that, we need to clean the tree.
> 

I marked 7.55.1 stable on ppc64 and removed the vulnerable verins.

Comment 22 Christopher Díaz Riveros (RETIRED) gentoo-dev

2017-09-11 16:22:31 UTC

(In reply to Anthony Basile from comment #21)
> I marked 7.55.1 stable on ppc64 and removed the vulnerable verins.

Thank you very much, GLSA already requested.

Gentoo Security Padawan
ChrisADR

Comment 23 GLSAMaker/CVETool Bot gentoo-dev

2017-09-17 21:18:50 UTC

This issue was resolved and addressed in
 GLSA 201709-14 at https://security.gentoo.org/glsa/201709-14
by GLSA coordinator Aaron Bauman (b-man).