Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 686050 (CVE-2019-5435, CVE-2019-5436)

Summary: <net-misc/curl-7.65.0: multiple vulnerabilities (CVE-2019-{5435,5436})
Product: Gentoo Security Reporter: Thomas Deutschmann (RETIRED) <whissi>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: anthonyryan1, blueness
Priority: Normal Keywords: STABLEREQ
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A3 [glsa+ cve]
Package list:
net-misc/curl-7.65.0
 Runtime testing required: ---

Description Thomas Deutschmann (RETIRED) gentoo-dev 2019-05-15 18:46:36 UTC 
Incoming details.
Comment 1 Anthony Basile gentoo-dev 2019-05-23 14:36:43 UTC 
(In reply to Thomas Deutschmann from comment #0)
> Incoming details.

curl-7.65.0 is on the tree.

@arch teams please start

KEYWORDS="alpha amd64 arm arm64 ia64 ppc ppc64 x8"


@minor arch teams, i'm cc-ing you too since this is an important package with an important update.
Comment 2 Anthony Basile gentoo-dev 2019-05-23 23:38:32 UTC 
stable on amd64
Comment 3 Anthony Basile gentoo-dev 2019-05-24 13:55:03 UTC 
stable on arm64
Comment 4 Rolf Eike Beer archtester 2019-05-24 20:57:15 UTC 
sparc stable
Comment 5 Sergei Trofimovich (RETIRED) gentoo-dev 2019-05-25 07:52:33 UTC 
ia64 stable
Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev 2019-05-25 07:59:03 UTC 
ppc stable
Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev 2019-05-25 08:03:54 UTC 
ppc64 stable
Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev 2019-05-26 07:10:26 UTC 
hppa stable
Comment 9 Thomas Deutschmann (RETIRED) gentoo-dev 2019-05-26 22:28:25 UTC 
x86 stable
Comment 10 Agostino Sarubbo gentoo-dev 2019-06-04 18:52:51 UTC 
s390 stable
Comment 11 Agostino Sarubbo gentoo-dev 2019-06-06 06:46:53 UTC 
alpha stable
Comment 12 Anthony Ryan 2019-06-07 20:08:44 UTC 
Just a heads up, we're seeing production segfaults after this stabilization.

Seems to be DNS related and already reported upstream: https://github.com/curl/curl/issues/3995
Comment 13 Anthony Basile gentoo-dev 2019-06-08 11:22:31 UTC 
(In reply to Anthony Ryan from comment #12)
> Just a heads up, we're seeing production segfaults after this stabilization.
> 
> Seems to be DNS related and already reported upstream:
> https://github.com/curl/curl/issues/3995

0.65.1 was released and the ebuild is in the tree, but it doesn't seem to address you issue :(  Just in case, can you test 0.65.1 and open a separate bug if you verify that the seg fault is there too.  Unfortunately we need to move forward for security reasons.  When a patch becomes available, I'll back port it.
Comment 14 Markus Meier gentoo-dev 2019-06-13 04:28:05 UTC 
arm stable
Comment 15 Thomas Deutschmann (RETIRED) gentoo-dev 2020-03-15 16:30:59 UTC 
Added to an existing GLSA request.
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2020-03-15 16:38:58 UTC 
This issue was resolved and addressed in
 GLSA 202003-29 at https://security.gentoo.org/glsa/202003-29
by GLSA coordinator Thomas Deutschmann (whissi).