Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 552618 (CVE-2015-3236) - <net-misc/curl-7.43.0: Multiple vulnerabilities (CVE-2015-{3236,3237})
Summary: <net-misc/curl-7.43.0: Multiple vulnerabilities (CVE-2015-{3236,3237})
Status: RESOLVED FIXED
Alias: CVE-2015-3236
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A3 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-06-20 11:50 UTC by Kristian Fiskerstrand
Modified: 2015-11-03 13:07 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Kristian Fiskerstrand gentoo-dev Security 2015-06-20 11:50:53 UTC
SMB send off unrelated memory contents
======================================

Project cURL Security Advisory, June 17th 2015 -
[Permalink](http://curl.haxx.se/docs/adv_20150617B.html)

VULNERABILITY
-------------

libcurl can get tricked by a malicious SMB server to send off data it did not
intend to.

In libcurl's state machine function handling the SMB protocol
(`smb_request_state()`), two length and offset values are extracted from data
that has arrived over the network, and those values are subsequently used to
figure out what data range to send back.

The values are used and trusted without boundary checks and are just assumed
to be valid. This allows carefully handicrafted packages to trick libcurl into
responding and sending off data that was not intended. Or just crash if the
values cause libcurl to access invalid memory.

We are not aware of any exploit of this flaw.

INFO
----

This flaw can also affect the curl command line tool if a similar operation
series is made with that.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2015-3237 to this issue.

AFFECTED VERSIONS
-----------------

This flaw is relevant for

- Affected versions: libcurl 7.40.0 to and including 7.42.1
- Not affected versions: libcurl < 7.40.0 and libcurl >= 7.43.0

libcurl is used by many applications, but not always advertised as such!


##########
lingering HTTP credentials in connection re-use
===============================================

Project cURL Security Advisory, June 17th 2015 -
[Permalink](http://curl.haxx.se/docs/adv_20150617A.html)

VULNERABILITY
-------------

libcurl can wrongly send HTTP credentials when re-using connections.

libcurl allows applications to set credentials for the upcoming transfer with
HTTP Basic authentication, like with `CURLOPT_USERPWD` for example. Name and
password. Just like all other libcurl options the credentials are sticky and
are kept associated with the "handle" until something is made to change the
situation.

Further, libcurl offers a `curl_easy_reset()` function that resets a handle
back to its pristine state in terms of all settable options. A reset is of
course also supposed to clear the credentials. A reset is typically used to
clear up the handle and prepare it for a new, possibly unrelated, transfer.

Within such a handle, libcurl can also store a set of previous connections in
case a second transfer is requested to a host name for which an existing
connection is already kept alive.

With this flaw present, using the handle even after a reset would make libcurl
accidentally use those credentials in a subseqent request if done to the same
host name and connection as was previously accessed.

An example case would be first requesting a password protected resource from
one section of a web site, and then do a second request of a public resource
from a completely different part of the site without authentication. This flaw
would then inadvertently leak the credentials in the second request.

We are not aware of any exploit of this flaw.

INFO
----

This flaw can also affect the curl command line tool if a similar operation
series is made with that.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2015-3236 to this issue.

AFFECTED VERSIONS
-----------------

This flaw is relevant for

- Affected versions: libcurl 7.40.0 to and including 7.42.1
- Not affected versions: libcurl < 7.40.0 and libcurl >= 7.43.0

libcurl is used by many applications, but not always advertised as such!
Comment 1 Kristian Fiskerstrand gentoo-dev Security 2015-06-20 11:52:43 UTC
@maintainer: The unaffected package has already been bumped in tree, please advice on whether it is ready for stabilization.
Comment 2 Anthony Basile gentoo-dev 2015-06-20 12:12:37 UTC
(In reply to Kristian Fiskerstrand from comment #1)
> @maintainer: The unaffected package has already been bumped in tree, please
> advice on whether it is ready for stabilization.

Preliminary testing shows that it should be fine for rapid stabilization:

KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
Comment 3 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2015-06-20 18:19:35 UTC
amd64 stable
Comment 4 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2015-06-20 18:20:16 UTC
(In reply to Mikle Kolyada from comment #3)
> amd64 stable

nvmd, wrong bug
Comment 5 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2015-06-21 06:26:59 UTC
>> Creating Manifest for /home/zlogene/gentoo-x86/net-misc/curl
  dependency.bad [fatal]        28
   net-misc/curl/curl-7.43.0.ebuild: DEPEND: amd64(default/linux/amd64/13.0) ['net-libs/nghttp2[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]']
   net-misc/curl/curl-7.43.0.ebuild: RDEPEND: amd64(default/linux/amd64/13.0) ['net-libs/nghttp2[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]']
.......
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2015-06-29 23:40:01 UTC
CVE-2015-3237 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3237):
  The smb_request_state function in cURL and libcurl 7.40.0 through 7.42.1
  allows remote SMB servers to obtain sensitive information from memory or
  cause a denial of service (out-of-bounds read and crash) via crafted length
  and offset values.

CVE-2015-3236 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3236):
  cURL and libcurl 7.40.0 through 7.42.1 sends the HTTP Basic authentication
  credentials for a previous connection when reusing a reset (curl_easy_reset)
  connection handle to send a request to the same host name, which allows
  remote attackers to obtain sensitive information via unspecified vectors.
Comment 7 Anthony Basile gentoo-dev 2015-06-29 23:54:23 UTC
(In reply to Mikle Kolyada from comment #5)
> >> Creating Manifest for /home/zlogene/gentoo-x86/net-misc/curl
>   dependency.bad [fatal]        28
>    net-misc/curl/curl-7.43.0.ebuild: DEPEND: amd64(default/linux/amd64/13.0)
> ['net-libs/nghttp2[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,
> abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,
> abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]']
>    net-misc/curl/curl-7.43.0.ebuild: RDEPEND:
> amd64(default/linux/amd64/13.0)
> ['net-libs/nghttp2[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,
> abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,
> abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]']
> .......

Yeah, vapier added nghttp2.  I would stabilized =net-libs/nghttp2-1.0.2 along with =net-misc/curl-7.43.0.  I'm cc-ing him to see if its okay.
Comment 8 Jeroen Roovers gentoo-dev 2015-06-30 04:27:00 UTC
You could broadly mask that USE=nghttp2 instead for now.
Comment 9 Jeroen Roovers gentoo-dev 2015-06-30 04:27:16 UTC
(In reply to Jeroen Roovers from comment #8)
> You could broadly mask that USE=nghttp2 instead for now.

I.e. USE=http2.
Comment 10 Anthony Basile gentoo-dev 2015-06-30 11:31:09 UTC
(In reply to Jeroen Roovers from comment #9)
> (In reply to Jeroen Roovers from comment #8)
> > You could broadly mask that USE=nghttp2 instead for now.
> 
> I.e. USE=http2.

I kinda want it.  So let's wait a few days and see if vapier responds.
Comment 11 Jeroen Roovers gentoo-dev 2015-07-03 04:08:15 UTC
Stable for HPPA.
Comment 12 Jeroen Roovers gentoo-dev 2015-07-03 04:41:56 UTC
Just mask USE=http2 or be very sure you want to pull in nghttp2 and openssl-1.0.2 at this moment.
Comment 13 Anthony Basile gentoo-dev 2015-07-04 13:37:09 UTC
(In reply to Jeroen Roovers from comment #12)
> Just mask USE=http2 or be very sure you want to pull in nghttp2 and
> openssl-1.0.2 at this moment.

I masked at profile/base level.  I didn't realize it was pulling openssl-1.0.2.

+  04 Jul 2015; Anthony G. Basile <blueness@gentoo.org> package.use.mask:
+  Mask http2 for net-misc/curl. Bug #552618.
+

Arch teams.  Please proceed.
Comment 14 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2015-07-04 16:32:30 UTC
amd64 stable
Comment 15 Jeroen Roovers gentoo-dev 2015-07-05 06:16:51 UTC
  04 Jul 2015; Anthony G. Basile <blueness@gentoo.org> curl-7.43.0.ebuild:
  Stable on ppc and ppc64.  Bug #552618.
Comment 16 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2015-07-05 10:14:44 UTC
x86 stable
Comment 17 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2015-07-05 20:38:06 UTC
arm stable
Comment 18 Tobias Klausmann gentoo-dev 2015-07-14 18:25:38 UTC
Stable on alpha.
Comment 19 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2015-07-17 12:53:53 UTC
ia64 stable
Comment 20 Agostino Sarubbo gentoo-dev 2015-07-23 09:38:23 UTC
sparc stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 21 Yury German Gentoo Infrastructure gentoo-dev Security 2015-08-10 22:31:43 UTC
Maintainer(s), Thank you for you for cleanup.
Added to an existing GLSA Request.

Maintainer(s), please drop the vulnerable version(s).
Comment 22 Yury German Gentoo Infrastructure gentoo-dev Security 2015-09-23 12:09:42 UTC
Maintainer(s), please drop the vulnerable version(s).
Comment 23 GLSAMaker/CVETool Bot gentoo-dev 2015-09-24 16:51:20 UTC
This issue was resolved and addressed in
 GLSA 201509-02 at https://security.gentoo.org/glsa/201509-02
by GLSA coordinator Kristian Fiskerstrand (K_F).
Comment 24 Yury German Gentoo Infrastructure gentoo-dev Security 2015-09-27 02:56:45 UTC
Re-Opening for Cleanup

Maintainer(s), please drop the vulnerable version(s).
Comment 25 Yury German Gentoo Infrastructure gentoo-dev Security 2015-11-02 20:23:37 UTC
It has been 30 days+ since cleanup requested.
Maintainer(s), please drop the vulnerable version(s).
Comment 26 Anthony Basile gentoo-dev 2015-11-02 22:01:48 UTC
(In reply to Yury German from comment #25)
> It has been 30 days+ since cleanup requested.
> Maintainer(s), please drop the vulnerable version(s).

commit 828055f6f393e89f3f9a0c65d07e5d3f562e56aa
Author: Anthony G. Basile <blueness@gentoo.org>
Date:   Mon Nov 2 17:04:17 2015 -0500

    net-misc/curl: remove vulnerable versions, bug #552618.
    
    Package-Manager: portage-2.2.20.1
Comment 27 Kristian Fiskerstrand gentoo-dev Security 2015-11-03 13:07:07 UTC
(In reply to Anthony Basile from comment #26)
> (In reply to Yury German from comment #25)
> > It has been 30 days+ since cleanup requested.
> > Maintainer(s), please drop the vulnerable version(s).
> 
> commit 828055f6f393e89f3f9a0c65d07e5d3f562e56aa
> Author: Anthony G. Basile <blueness@gentoo.org>
> Date:   Mon Nov 2 17:04:17 2015 -0500
> 
>     net-misc/curl: remove vulnerable versions, bug #552618.
>     
>     Package-Manager: portage-2.2.20.1

Thank you, 

closing