Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 737990 (CVE-2020-8231)

Summary: <net-misc/curl-7.72.0: May use wrong connection to submit data if CURLOPT_CONNECT_ONLY (CVE-2020-8231)
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: ajak, blueness
Priority: Normal Flags: nattka: sanity-check-
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://curl.haxx.se/docs/CVE-2020-8231.html
Whiteboard: A3 [glsa+ cve]
Package list:
net-misc/curl-7.72.0
 Runtime testing required: ---

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-19 09:14:52 UTC 
Description:
"An application that performs multiple requests with libcurl's multi API and
sets the `CURLOPT_CONNECT_ONLY` option, might in rare circumstances experience
that when subsequently using the setup connect-only transfer, libcurl will
pick and use the wrong connection - and instead pick another one the
application has created since then.

[...]

The application could then accidentally send data over that connection which
wasn't at all intended for that recipient, entirely unknowingly."
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-19 09:15:17 UTC 
Please bump to 7.72.0. Thanks!
Comment 2 Anthony Basile gentoo-dev 2020-08-19 16:49:54 UTC 
(In reply to Sam James from comment #1)
> Please bump to 7.72.0. Thanks!

bumped
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-19 17:01:02 UTC 
(In reply to Anthony Basile from comment #2)
> (In reply to Sam James from comment #1)
> > Please bump to 7.72.0. Thanks!
> 
> bumped

Thanks, let us know when ready to stable.
Comment 4 NATTkA bot gentoo-dev 2020-08-19 17:05:01 UTC Comment hidden (obsolete)
Comment 5 Anthony Basile gentoo-dev 2020-08-20 13:23:57 UTC 
(In reply to NATTkA bot from comment #4)
> Sanity check failed:
> 
> > net-misc/curl-7.72.0
> >   depend hppa stable profile default/linux/hppa/17.0 (11 total)
> >     net-libs/mbedtls:0=
> >   rdepend hppa stable profile default/linux/hppa/17.0 (11 total)
> >     net-libs/mbedtls:0=

looks like httpa will either have to stabilize mbedtls or mask.

@sam It should be ready now.  Would you give a quick test at your end and start the process if it works for you --- I did test at my end, but two eyes are better than one.
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-20 13:27:00 UTC 
(In reply to Anthony Basile from comment #5)
> @sam It should be ready now.  Would you give a quick test at your end and
> start the process if it works for you --- I did test at my end, but two eyes
> are better than one.

Of course. I'll get on it shortly and let you know.

BTW:
[18:30:50]  <@sam_> blueness_: I wonder if we need a 7.72.0-r1 for curl or something
[18:31:01]  <@sam_> to allow us to stabilise without the new curl use magic :/
[18:31:26]  <@sam_> I can do it if you want (kill -r0, -r1 without the magic which we stable soon, -r2 with curl use magic)
[18:31:52]  <@sam_> I only realised when Nattka complained about mbedtls
[18:31:53]  <@sam_> then it twigged.

If you're happy with the "new USE magic", we can just go with it provided it works fine on my machine.

For reference, the changes were committed on the 4th August, but I think all the issues were to do with LibreSSL which we shook out pretty quick. No more bugs as far as I see.
Comment 7 Anthony Basile gentoo-dev 2020-08-21 13:51:23 UTC 
(In reply to Sam James from comment #6)
> (In reply to Anthony Basile from comment #5)
> > @sam It should be ready now.  Would you give a quick test at your end and
> > start the process if it works for you --- I did test at my end, but two eyes
> > are better than one.
> 
> Of course. I'll get on it shortly and let you know.
> 
> BTW:
> [18:30:50]  <@sam_> blueness_: I wonder if we need a 7.72.0-r1 for curl or
> something
> [18:31:01]  <@sam_> to allow us to stabilise without the new curl use magic
> :/
> [18:31:26]  <@sam_> I can do it if you want (kill -r0, -r1 without the magic
> which we stable soon, -r2 with curl use magic)
> [18:31:52]  <@sam_> I only realised when Nattka complained about mbedtls
> [18:31:53]  <@sam_> then it twigged.
> 
> If you're happy with the "new USE magic", we can just go with it provided it
> works fine on my machine.
> 
> For reference, the changes were committed on the 4th August, but I think all
> the issues were to do with LibreSSL which we shook out pretty quick. No more
> bugs as far as I see.

Let's go with the new USE magic.
Comment 8 Larry the Git Cow gentoo-dev 2020-08-31 02:55:11 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1c31fa4af24cf680de0b3c5b0764189ae224d000

commit 1c31fa4af24cf680de0b3c5b0764189ae224d000
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2020-08-31 02:54:08 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-08-31 02:54:53 +0000

    profiles/arch/{hppa, sparc}: stable-mask net-misc/curl[mbedtls]
    
    Bug: https://bugs.gentoo.org/737990
    Signed-off-by: Sam James <sam@gentoo.org>

 profiles/arch/hppa/package.use.stable.mask  | 2 +-
 profiles/arch/sparc/package.use.stable.mask | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)
Comment 9 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-31 02:55:54 UTC 
(In reply to Anthony Basile from comment #7)
> (In reply to Sam James from comment #6)
[...]
> Let's go with the new USE magic.

Sorry for delay, wanted to check I was happy as per our IRC chat!
Comment 10 Thomas Deutschmann (RETIRED) gentoo-dev 2020-08-31 17:13:54 UTC 
x86 stable
Comment 11 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-31 22:13:20 UTC 
amd64 done
Comment 12 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-31 23:20:33 UTC 
sparc done
Comment 13 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-31 23:21:59 UTC 
arm done
Comment 14 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-31 23:23:11 UTC 
arm64 done
Comment 15 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-09-04 00:21:25 UTC 
ppc64 stable
Comment 16 Rolf Eike Beer archtester 2020-09-11 18:10:04 UTC 
hppa stable
Comment 17 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-09-20 16:37:45 UTC 
ppc, s390: ping
Comment 18 Agostino Sarubbo gentoo-dev 2020-10-12 15:20:34 UTC 
s390 stable
Comment 19 Agostino Sarubbo gentoo-dev 2020-10-13 09:52:08 UTC 
ppc stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 20 Thomas Deutschmann (RETIRED) gentoo-dev 2020-12-22 22:54:47 UTC 
Added to an existing GLSA request.
Comment 21 NATTkA bot gentoo-dev 2020-12-22 22:57:01 UTC 
Unable to check for sanity:

> no match for package: net-misc/curl-7.72.0
Comment 22 GLSAMaker/CVETool Bot gentoo-dev 2020-12-23 20:20:33 UTC 
This issue was resolved and addressed in
 GLSA 202012-14 at https://security.gentoo.org/glsa/202012-14
by GLSA coordinator Thomas Deutschmann (whissi).