Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 779535 - <net-misc/curl-7.76.0: multiple vulnerabilities (CVE-2021-{22876,22890})
Summary: <net-misc/curl-7.76.0: multiple vulnerabilities (CVE-2021-{22876,22890})
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A4 [glsa+ cve]
Keywords:
: 777648 (view as bug list)
Depends on: 740206
Blocks:
  Show dependency tree
 
Reported: 2021-03-31 12:43 UTC by John Helmert III
Modified: 2021-05-26 12:40 UTC (History)
4 users (show)

See Also:
Package list:
net-misc/curl-7.76.1
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III gentoo-dev Security 2021-03-31 12:43:41 UTC
CVE-2021-22876:

libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request.

libcurl automatically sets the Referer: HTTP request header field in outgoing HTTP requests if the CURLOPT_AUTOREFERER option is set. With the curl tool, it is enabled with --referer ";auto".

CVE-2021-22890:

Enabled by default, libcurl supports the use of TLS 1.3 session tickets to resume previous TLS sessions to speed up subsequent TLS handshakes.

When using a HTTPS proxy and TLS 1.3, libcurl can confuse session tickets arriving from the HTTPS proxy but work as if they arrived from the remote server and then wrongly "short-cut" the host handshake. The reason for this confusion is the modified sequence from TLS 1.2 when the session ids would provided only during the TLS handshake, while in TLS 1.3 it happens post hand-shake and the code was not updated to take that changed behavior into account.

When confusing the tickets, a HTTPS proxy can trick libcurl to use the wrong session ticket resume for the host and thereby circumvent the server TLS certificate check and make a MITM attack to be possible to perform unnoticed.

This flaw can allow a malicious HTTPS proxy to MITM the traffic. Such a malicious HTTPS proxy needs to provide a certificate that curl will accept for the MITMed server for an attack to work - unless curl has been told to ignore the server certificate check.


Fixed in 7.76.0, please bump.
Comment 1 Emily Rowlands 2021-03-31 17:46:54 UTC
I assume this is the same set of vulnerabilities mentioned in bug 777648?
Comment 2 Sam James archtester gentoo-dev Security 2021-03-31 17:58:32 UTC
(In reply to Emily Rowlands from comment #1)
> I assume this is the same set of vulnerabilities mentioned in bug 777648?

It is, although the info's here, so I'll mark that as a dup of this -- thanks!
Comment 3 Sam James archtester gentoo-dev Security 2021-03-31 17:58:39 UTC
*** Bug 777648 has been marked as a duplicate of this bug. ***
Comment 4 John Helmert III gentoo-dev Security 2021-04-02 16:39:21 UTC
There is an HTTP/2 regression with a path available that may come in a release this weekend: https://curl.se/mail/lib-2021-04/0000.html

"Turns out I did a pretty major blunder and 7.76.0 shipped with a HTTP/2
regression that makes it not enable HTTP/2 over HTTPS for 7 different TLS
backends.

Probably reason enough for a patch release, but the final verdict for patch
release or not will happen during this coming weekend. Stay tuned."
Comment 5 Anthony Basile gentoo-dev 2021-04-03 12:28:25 UTC
(In reply to John Helmert III from comment #4)
> There is an HTTP/2 regression with a path available that may come in a
> release this weekend: https://curl.se/mail/lib-2021-04/0000.html
> 
> "Turns out I did a pretty major blunder and 7.76.0 shipped with a HTTP/2
> regression that makes it not enable HTTP/2 over HTTPS for 7 different TLS
> backends.
> 
> Probably reason enough for a patch release, but the final verdict for patch
> release or not will happen during this coming weekend. Stay tuned."

I've got 7.76.0 in the tree now.  Maybe way for 7.76.1?
Comment 6 Sam James archtester gentoo-dev Security 2021-04-12 17:22:34 UTC
(In reply to Anthony Basile from comment #5)
> (In reply to John Helmert III from comment #4)
> > There is an HTTP/2 regression with a path available that may come in a
> > release this weekend: https://curl.se/mail/lib-2021-04/0000.html
> > 
> > "Turns out I did a pretty major blunder and 7.76.0 shipped with a HTTP/2
> > regression that makes it not enable HTTP/2 over HTTPS for 7 different TLS
> > backends.
> > 
> > Probably reason enough for a patch release, but the final verdict for patch
> > release or not will happen during this coming weekend. Stay tuned."
> 
> I've got 7.76.0 in the tree now.  Maybe way for 7.76.1?

Coming in < 48 hrs apparently
Comment 7 John Helmert III gentoo-dev Security 2021-04-14 14:21:42 UTC
7.76.1 is released.
Comment 8 Anthony Basile gentoo-dev 2021-04-15 23:32:10 UTC
(In reply to John Helmert III from comment #7)
> 7.76.1 is released.

Its on the tree.  Go ahead and start stabilization.
Comment 9 Sam James archtester gentoo-dev Security 2021-04-16 02:30:17 UTC
x86 done
Comment 10 Scott Howard 2021-04-16 03:43:12 UTC
looks like 7.76.0 was stabilized on x86, instead of 7.76.1
Comment 11 Sam James archtester gentoo-dev Security 2021-04-16 03:47:58 UTC
(In reply to Scott Howard from comment #10)
> looks like 7.76.0 was stabilized on x86, instead of 7.76.1

Package list fixed now. Good spot.
Comment 12 Larry the Git Cow gentoo-dev 2021-04-16 04:01:37 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5785b9874b5b556912b5d12444dabcd619cc4f15

commit 5785b9874b5b556912b5d12444dabcd619cc4f15
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-04-16 04:00:43 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-04-16 04:00:43 +0000

    net-misc/curl: Revert "Stabilize 7.76.0 x86, #779535" due to package list issue
    
    This reverts commit 5ee0f317215f5efb86b59f26348159880d2a07e9. Unclear
    why the package list got reverted by NATTkA(?). We want to stabilise
    7.76.1.
    
    Bug: https://bugs.gentoo.org/779535
    Signed-off-by: Sam James <sam@gentoo.org>

 net-misc/curl/curl-7.76.0.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 13 Sam James archtester gentoo-dev Security 2021-04-16 04:03:34 UTC
(mgorny, any ideas what happened with NATTkA here?)
Comment 14 Rolf Eike Beer 2021-04-17 16:09:31 UTC
hppa stable
Comment 15 Sam James archtester gentoo-dev Security 2021-04-18 01:53:03 UTC
ppc done
Comment 16 Rolf Eike Beer 2021-04-18 06:24:46 UTC
sparc stable
Comment 17 Sam James archtester gentoo-dev Security 2021-04-20 11:59:37 UTC
ppc64 done
Comment 18 Sam James archtester gentoo-dev Security 2021-04-22 20:19:02 UTC
arm64 done
Comment 19 Agostino Sarubbo gentoo-dev 2021-05-01 18:20:09 UTC
amd64 stable
Comment 20 Sam James archtester gentoo-dev Security 2021-05-15 02:41:20 UTC
arm done

all arches done
Comment 21 Sam James archtester gentoo-dev Security 2021-05-15 02:54:06 UTC
x86 done

all arches done
Comment 22 John Helmert III gentoo-dev Security 2021-05-16 02:35:21 UTC
Please cleanup, thanks!
Comment 23 Larry the Git Cow gentoo-dev 2021-05-25 01:56:18 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3a6aaa3e0ff967d2cb28b87dde7459845aa10269

commit 3a6aaa3e0ff967d2cb28b87dde7459845aa10269
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2021-05-25 01:55:58 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2021-05-25 01:55:58 +0000

    net-misc/curl: security cleanup
    
    Bug: https://bugs.gentoo.org/779535
    Package-Manager: Portage-3.0.18, Repoman-3.0.3
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 net-misc/curl/Manifest              |   3 -
 net-misc/curl/curl-7.74.0-r2.ebuild | 286 -----------------------------------
 net-misc/curl/curl-7.74.0-r4.ebuild | 289 -----------------------------------
 net-misc/curl/curl-7.75.0.ebuild    | 290 -----------------------------------
 net-misc/curl/curl-7.76.0.ebuild    | 291 ------------------------------------
 5 files changed, 1159 deletions(-)
Comment 24 Thomas Deutschmann gentoo-dev Security 2021-05-25 01:57:53 UTC
New GLSA request filed.
Comment 25 GLSAMaker/CVETool Bot gentoo-dev 2021-05-26 12:40:58 UTC
This issue was resolved and addressed in
 GLSA 202105-36 at https://security.gentoo.org/glsa/202105-36
by GLSA coordinator Thomas Deutschmann (whissi).