Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 878365 (CVE-2022-32221, CVE-2022-35260, CVE-2022-42915, CVE-2022-42916)

Summary: <net-misc/curl-7.86.0: multiple vulnerabilities
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: blueness, correabuscar+gentoo_bugs
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A3 [glsa+]
Package list:
Runtime testing required: ---
Bug Depends on: 878751, 880123    
Bug Blocks:    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-26 13:59:21 UTC
CVE-2022-32221: POST following PUT confusion (curl)
CVE-2022-35260: .netrc parser out-of-bounds access (curl)
CVE-2022-42915: HTTP proxy double-free (curl)
CVE-2022-42916: HSTS bypass via IDN (curl)

Please bump to 7.86.0.
Comment 1 Larry the Git Cow gentoo-dev 2022-10-28 10:38:58 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=650c8a2155508ae7ebed1dc543b53e0d0470b8c4

commit 650c8a2155508ae7ebed1dc543b53e0d0470b8c4
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-10-28 10:28:59 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-10-28 10:38:25 +0000

    net-misc/curl: add 7.86.0
    
    Bug: https://bugs.gentoo.org/878365
    Signed-off-by: Sam James <sam@gentoo.org>

 net-misc/curl/Manifest           |   2 +
 net-misc/curl/curl-7.86.0.ebuild | 287 +++++++++++++++++++++++++++++++++++++++
 net-misc/curl/metadata.xml       |   1 +
 3 files changed, 290 insertions(+)
Comment 2 Henning Schild 2022-10-28 16:44:27 UTC
Note that 7.86.0 introduced problems with proxy exception handling and is kind of very broken if you have to deal with proxies.

https://github.com/curl/curl/issues/9821

https://github.com/curl/curl/issues/9813

There might be a new release soon to fix those.

https://curl.se/mail/lib-2022-10/0079.html
Comment 3 Larry the Git Cow gentoo-dev 2022-10-28 17:18:40 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cc9e19d913994302ce2aff803013cd2be7dc3ce4

commit cc9e19d913994302ce2aff803013cd2be7dc3ce4
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-10-28 17:18:11 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-10-28 17:18:33 +0000

    net-misc/curl: backport proxy handling regression fixes to 7.86.0
    
    Bug: https://bugs.gentoo.org/878365
    Thanks-to: Henning Schild <henning@hennsch.de>
    Signed-off-by: Sam James <sam@gentoo.org>

 net-misc/curl/curl-7.86.0-r1.ebuild                | 289 +++++++++++++++++++++
 .../curl-7.86.0-proxy-noproxy-match-comma.patch    |  86 ++++++
 .../curl-7.86.0-proxy-noproxy-tailmatching.patch   |  66 +++++
 3 files changed, 441 insertions(+)
Comment 4 Larry the Git Cow gentoo-dev 2022-11-17 01:06:01 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=93404ce48ebc3346b1d0a45e5b313f25bec02e5f

commit 93404ce48ebc3346b1d0a45e5b313f25bec02e5f
Author:     Henning Schild <henning@hennsch.de>
AuthorDate: 2022-11-16 13:09:30 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-11-17 00:58:35 +0000

    net-misc/curl: backport one more noproxy regression patch to 7.86.0
    
    Bug: https://bugs.gentoo.org/878365
    Signed-off-by: Henning Schild <henning@hennsch.de>
    Closes: https://github.com/gentoo/gentoo/pull/28295
    Signed-off-by: Sam James <sam@gentoo.org>

 net-misc/curl/curl-7.86.0-r3.ebuild                | 292 +++++++++++++++++++++
 ...roxy-tailmatch-like-in-7.85.0-and-earlier.patch |  84 ++++++
 2 files changed, 376 insertions(+)
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-22 18:27:10 UTC
GLSA request filed
Comment 6 Larry the Git Cow gentoo-dev 2022-12-19 02:05:24 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=d4066956acc3f238eef20bbbad18f982301dd80b

commit d4066956acc3f238eef20bbbad18f982301dd80b
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-12-19 01:59:44 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-12-19 02:04:27 +0000

    [ GLSA 202212-01 ] curl: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/803308
    Bug: https://bugs.gentoo.org/813270
    Bug: https://bugs.gentoo.org/841302
    Bug: https://bugs.gentoo.org/843824
    Bug: https://bugs.gentoo.org/854708
    Bug: https://bugs.gentoo.org/867679
    Bug: https://bugs.gentoo.org/878365
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202212-01.xml | 72 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 72 insertions(+)
Comment 7 Larry the Git Cow gentoo-dev 2022-12-19 02:50:45 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f92fca8369ead410f65536b53ab6f7c83c1d9c35

commit f92fca8369ead410f65536b53ab6f7c83c1d9c35
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2022-12-19 02:47:48 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-12-19 02:48:01 +0000

    net-misc/curl: drop 7.84.0, 7.85.0-r2, 7.86.0-r2
    
    Bug: https://bugs.gentoo.org/867679
    Bug: https://bugs.gentoo.org/878365
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 net-misc/curl/Manifest              |   4 -
 net-misc/curl/curl-7.84.0.ebuild    | 290 -----------------------------------
 net-misc/curl/curl-7.85.0-r2.ebuild | 287 -----------------------------------
 net-misc/curl/curl-7.86.0-r2.ebuild | 291 ------------------------------------
 4 files changed, 872 deletions(-)
Comment 8 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-12-19 02:51:26 UTC
Tree is clean, all done.