Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 499902 (CVE-2014-0015) - <net-misc/curl-7.35.0 : NTLM Connection Re-use Security Bypass Security Issue (CVE-2014-0015)
Summary: <net-misc/curl-7.35.0 : NTLM Connection Re-use Security Bypass Security Issue...
Status: RESOLVED FIXED
Alias: CVE-2014-0015
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/56728/
Whiteboard: A4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-01-31 16:49 UTC by Agostino Sarubbo
Modified: 2014-02-28 07:42 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-01-31 16:49:04 UTC
From ${URL} :

Description

A security issue has been reported in libcURL, which can be exploited by malicious people to bypass 
certain security restrictions.

The security issue is caused due to the application re-using recent authenticated connections when 
processing new NTLM-authenticated requests. This can be exploited to perform certain operations with the 
credentials of a recent NTLM authenticated user.

The security issue is reported in versions 7.10.6 through 7.34.0.


Solution:
Update to version 7.35.0.

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
http://curl.haxx.se/docs/adv_20140129.html


@maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
Comment 1 Anthony Basile gentoo-dev 2014-01-31 21:01:06 UTC
Please proceed with stabilizing curl-7.35.0.

KEYWORDS="alpha amd64 arm arm64 hppa ia64 ppc ppc64 sparc x86"

I'm dropping keywords for ~arch.
Comment 2 Jeroen Roovers gentoo-dev 2014-02-01 14:27:56 UTC
Stable for HPPA.
Comment 3 Richard Freeman gentoo-dev 2014-02-02 11:04:24 UTC
Depending on USE configuration this package pulls in a few non-stable deps.  With the flags I just happen to have set I get:
media-libs/opus (USE=opus)
net-libs/gnutls (USE=gnutls)
sys-devel/gettext  (this looks like it doesn't depend on USE)

How do we want to handle?  Stable masking some USE flags might be an option, but we should at least check in with the gettext maintainers.
Comment 4 Richard Freeman gentoo-dev 2014-02-02 11:04:56 UTC
(In reply to Richard Freeman from comment #3)
> Depending on USE configuration this package pulls in a few non-stable deps. 
> With the flags I just happen to have set I get:
> media-libs/opus (USE=opus)
> net-libs/gnutls (USE=gnutls)
> sys-devel/gettext  (this looks like it doesn't depend on USE)
> 
> How do we want to handle?  Stable masking some USE flags might be an option,
> but we should at least check in with the gettext maintainers.

Ugh - disregard entirely - posted this in the wrong bug!!!!
Comment 5 Richard Freeman gentoo-dev 2014-02-02 11:18:34 UTC
amd64 stable
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2014-02-04 14:14:40 UTC
CVE-2014-0015 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0015):
  cURL and libcurl 7.10.6 through 7.34.0, when more than one authentication
  method is enabled, re-uses NTLM connections, which might allow
  context-dependent attackers to authenticate as other users via a request.
Comment 7 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2014-02-09 02:53:52 UTC
x86 stable
Comment 8 Agostino Sarubbo gentoo-dev 2014-02-09 08:19:03 UTC
ppc stable
Comment 9 Agostino Sarubbo gentoo-dev 2014-02-09 08:23:52 UTC
ppc64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2014-02-09 08:27:10 UTC
sparc stable
Comment 11 Agostino Sarubbo gentoo-dev 2014-02-16 07:35:08 UTC
alpha stable
Comment 12 Agostino Sarubbo gentoo-dev 2014-02-16 12:05:48 UTC
ia64 stable
Comment 13 Agostino Sarubbo gentoo-dev 2014-02-17 21:08:09 UTC
arm stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 14 Sergey Popov gentoo-dev Security 2014-02-27 14:07:29 UTC
Thanks for your work!

GLSA vote: no
Comment 15 Lars Wendler (Polynomial-C) gentoo-dev 2014-02-27 14:22:20 UTC
+  27 Feb 2014; Lars Wendler <polynomial-c@gentoo.org> -curl-7.34.0-r1.ebuild,
+  -files/curl-7.34.0-fix-ipv6-failover.patch:
+  Removed vulnerable version (bug #499902).
+
Comment 16 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2014-02-28 07:42:34 UTC
GLSA vote: no.

Closing as [noglsa].