Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 813270 (CVE-2021-22945, CVE-2021-22946, CVE-2021-22947)

Summary: <net-misc/curl-7.79.0: Multiple vulnerabilities (CVE-2021-{22945,22946,22947})
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: major CC: blueness
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A2 [glsa? cleanup]
Package list:
Runtime testing required: ---
Bug Depends on: 814485    
Bug Blocks:    

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-09-16 00:54:56 UTC 
Fixed in 7.79.0:
    CVE-2021-22945: clear the leftovers pointer when sending succeeds
    CVE-2021-22946: do not ignore --ssl-reqd
    CVE-2021-22947: reject STARTTLS server response pipelining
Comment 1 Larry the Git Cow gentoo-dev 2021-09-18 03:01:20 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9886665e4f3d22da1d722509fd5de9000a36d4d6

commit 9886665e4f3d22da1d722509fd5de9000a36d4d6
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-09-18 02:52:49 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-09-18 02:52:49 +0000

    net-misc/curl: add 7.79.0
    
    Bug: https://bugs.gentoo.org/813270
    Signed-off-by: Sam James <sam@gentoo.org>

 net-misc/curl/Manifest                             |   1 +
 net-misc/curl/curl-7.79.0.ebuild                   | 293 +++++++++++++++++++++
 .../curl-7.79.0-http-3digit-response-code.patch    | 107 ++++++++
 .../files/curl-7.79.0-http2-connection-data.patch  |  43 +++
 4 files changed, 444 insertions(+)
Comment 2 Larry the Git Cow gentoo-dev 2021-09-18 04:22:55 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bc195c961bbf981a8368f108fa33ae38e4a9e1e8

commit bc195c961bbf981a8368f108fa33ae38e4a9e1e8
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-09-18 04:21:34 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-09-18 04:22:39 +0000

    net-misc/curl: drop test case for response code
    
    Fails for now, but keeping an eye upstream.
    
    Bug: https://bugs.gentoo.org/813270
    Signed-off-by: Sam James <sam@gentoo.org>

 .../curl-7.79.0-http-3digit-response-code.patch    | 60 ----------------------
 1 file changed, 60 deletions(-)
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-09-18 04:28:22 UTC 
Not going to stable until at least patch release on Wednesday: https://github.com/curl/curl/issues/7738#issuecomment-922028899
Comment 4 Anthony Basile gentoo-dev 2021-09-23 11:33:50 UTC 
(In reply to Sam James from comment #3)
> Not going to stable until at least patch release on Wednesday:
> https://github.com/curl/curl/issues/7738#issuecomment-922028899

7.79.1 is now on the tree and includes both back ported patches that are in 7.79.0.

    curl-7.79.0-http2-connection-data.patch
    curl-7.79.0-http-3digit-response-code.patch
Comment 5 John Helmert III gentoo-dev Security 2021-10-03 00:53:33 UTC 
Please cleanup