Bug 803308 (CVE-2021-22922, CVE-2021-22923, CVE-2021-22925, CVE-2021-22926)

Summary:	<net-misc/curl-7.78.0: Multiple vulnerabilities
Product:	Gentoo Security	Reporter:	Sam James <sam>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	blueness
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	A3 [glsa+]
Package list:	net-misc/curl-7.78.0-r1	Runtime testing required:	---

Description Sam James archtester

2021-07-22 02:47:51 UTC

* CVE-2021-22922: Wrong content via metalink not discarded

"This was one of the problems we found that that all together made us take the drastic decision to completely remove metalink support.

The metalink format has a hash for the content so that a client can detect faulty contents. curl didn’t act properly if the has mismatched and it could easily make users not realize the bad content."

* CVE-2021-22923: Metalink download sends credentials

"If you download the metalink file using credentials, the subsequent download(s) of the file mentioned in that XML file will also get the same credentials passed to those servers, unexpectedly, thus potentially leaking sensitive information to other parties!
CVE-2021-22924: Bad connection reuse due to flawed path name checks

libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse, if one of them matches the setup.

Due to errors in the logic, the config matching function did not take ‘issuer cert’ into account and it compared the involved paths case insensitively, which could lead to libcurl reusing wrong connections!"

* CVE-2021-22925: TELNET stack contents disclosure again

"Possibly the most embarrassing security flaw in a long time.

When we shipped 7.77.0 we announced CVE-2021-22898, which was a flaw in the telnet code and an associated fix. Know what? The fix was incomplete and plain wrong so the original problem actually remained for a certain set of input.

This is thus the second advisory for the same problem and now we fix this again. Hopefully for real and for good this time…"

* CVE-2021-22926: CURLOPT_SSLCERT mixup with Secure Transport

"When libcurl is built to use the macOS native TLS library Secure Transport, an application can ask for the client certificate by name or with a file name – using the same option. If the name exists as a file, it will be used instead of by name. This could be exploited in rare circumstances."

Comment 1 Larry the Git Cow gentoo-dev

2021-07-22 03:23:30 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f7d7fb78e3689b5a56f384d9e0eca42ac36b23c7

commit f7d7fb78e3689b5a56f384d9e0eca42ac36b23c7
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-07-22 02:52:33 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-07-22 03:20:27 +0000

    net-misc/curl: add 7.78.0
    
    * Security bump to 7.78.0
    * Drops metalink support (gone upstream entirely)
    * Drops two obsolete seds
    
    Bug: https://bugs.gentoo.org/382241
    Bug: https://bugs.gentoo.org/637252
    Bug: https://bugs.gentoo.org/803308
    Signed-off-by: Sam James <sam@gentoo.org>

 net-misc/curl/Manifest           |   1 +
 net-misc/curl/curl-7.78.0.ebuild | 289 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 290 insertions(+)

Comment 2 Sam James archtester

2021-07-30 01:03:06 UTC

Let’s go?

Comment 3 Anthony Basile gentoo-dev

2021-08-08 19:59:43 UTC

(In reply to Sam James from comment #2)
> Let’s go?

Its ready

Comment 4 Sam James archtester

2021-08-09 00:32:18 UTC

amd64 done

Comment 5 Sam James archtester

2021-08-09 00:41:29 UTC

ppc done

Comment 6 Sam James archtester

2021-08-09 00:41:42 UTC

ppc64 done

Comment 7 Sam James archtester

2021-08-09 01:42:36 UTC

sparc done

Comment 8 Sam James archtester

2021-08-11 00:05:21 UTC

arm64 done

Comment 9 NATTkA bot gentoo-dev

2021-08-14 03:52:29 UTC Comment hidden (obsolete)

Unable to check for sanity:

> no match for package: net-misc/curl-7.78.0

Comment 10 Rolf Eike Beer archtester

2021-08-16 07:47:47 UTC

hppa done

Comment 11 Agostino Sarubbo gentoo-dev

2021-08-25 04:23:31 UTC

x86 stable

Comment 12 Sam James archtester

2021-09-01 18:30:08 UTC

arm done

all arches done

Comment 13 Sam James archtester

2021-09-01 18:37:07 UTC

Please cleanup, thanks!

Comment 14 Anthony Basile gentoo-dev

2021-09-05 22:05:24 UTC

(In reply to Sam James from comment #13)
> Please cleanup, thanks!

cleanup done.

Comment 15 Sam James archtester

2021-09-05 22:53:37 UTC

(In reply to Anthony Basile from comment #14)
> (In reply to Sam James from comment #13)
> > Please cleanup, thanks!
> 
> cleanup done.

Thanks!

Comment 16 NATTkA bot gentoo-dev

2021-11-15 16:40:41 UTC

Unable to check for sanity:

> no match for package: net-misc/curl-7.78.0-r1

Comment 17 Larry the Git Cow gentoo-dev

2022-12-19 02:05:32 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=d4066956acc3f238eef20bbbad18f982301dd80b

commit d4066956acc3f238eef20bbbad18f982301dd80b
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-12-19 01:59:44 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-12-19 02:04:27 +0000

    [ GLSA 202212-01 ] curl: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/803308
    Bug: https://bugs.gentoo.org/813270
    Bug: https://bugs.gentoo.org/841302
    Bug: https://bugs.gentoo.org/843824
    Bug: https://bugs.gentoo.org/854708
    Bug: https://bugs.gentoo.org/867679
    Bug: https://bugs.gentoo.org/878365
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202212-01.xml | 72 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 72 insertions(+)

Comment 18 John Helmert III archtester

2022-12-19 02:28:50 UTC

GLSA released, all done.