Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 528840 (CVE-2014-3707) - <net-misc/curl-7.39.0: libcurl duphandle read out of bounds (CVE-2014-3707)
Summary: <net-misc/curl-7.39.0: libcurl duphandle read out of bounds (CVE-2014-3707)
Status: RESOLVED FIXED
Alias: CVE-2014-3707
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://curl.haxx.se/docs/adv_20141105...
Whiteboard: B4 [noglsa]
Keywords:
: 528842 (view as bug list)
Depends on: 522820
Blocks:
  Show dependency tree
 
Reported: 2014-11-10 16:15 UTC by Tiago Marques
Modified: 2015-05-11 20:15 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tiago Marques 2014-11-10 16:15:54 UTC
As described in http://curl.haxx.se/docs/adv_20141105.html and 

Reproducible: Always
Comment 1 Alex Xu (Hello71) 2014-11-10 19:34:45 UTC
*** Bug 528842 has been marked as a duplicate of this bug. ***
Comment 2 Alex Xu (Hello71) 2014-11-10 19:38:00 UTC
oops
Comment 3 Anthony Basile gentoo-dev 2014-11-11 00:13:50 UTC
(In reply to Tiago Marques from comment #0)
> As described in http://curl.haxx.se/docs/adv_20141105.html and 
> 
> Reproducible: Always

From the report: Not affected versions: libcurl >= 7.39.0.

curl-7.39.0 has now been added to the tree and I've removed all older unstable versions that were vulnerable.

We should rapid stabilize.

TARGETS="alpha amd64 arm arm64 hppa ia64 ppc ppc64 s390 sparc x86"

I'm cc-ing arm64 that may want to stabilize this important package.
Comment 4 Anthony Basile gentoo-dev 2014-11-11 00:19:00 UTC
@alpha, arm64, ia64, sparc.  You will need to stabilize =net-dns/c-ares-1.10.0-r1 first.  See bug #522820.
Comment 5 Agostino Sarubbo gentoo-dev 2014-11-11 08:33:44 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2014-11-11 08:33:59 UTC
x86 stable
Comment 7 Anthony Basile gentoo-dev 2014-11-11 10:56:29 UTC
stable on ppc and ppc64
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2014-11-11 11:39:14 UTC
Stable for HPPA.
Comment 9 Anthony Basile gentoo-dev 2014-11-13 12:18:39 UTC
stable on arm
Comment 10 Tobias Klausmann gentoo-dev 2014-11-20 13:45:58 UTC
Stable on alpha
Comment 11 Agostino Sarubbo gentoo-dev 2014-11-20 15:48:16 UTC
ia64 stable
Comment 12 Agostino Sarubbo gentoo-dev 2014-12-01 09:18:00 UTC
sparc stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2015-01-04 02:08:10 UTC
CVE-2014-3707 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3707):
  The curl_easy_duphandle function in libcurl 7.17.1 through 7.38.0, when
  running with the CURLOPT_COPYPOSTFIELDS option, does not properly copy HTTP
  POST data for an easy handle, which triggers an out-of-bounds read that
  allows remote web servers to read sensitive memory information.
Comment 14 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-01-05 00:14:56 UTC
GLSA Vote: No
Comment 15 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2015-01-05 00:40:49 UTC
GLSA vote: no.
Comment 16 Yury German Gentoo Infrastructure gentoo-dev 2015-05-11 20:15:32 UTC
For this version it is all cleaned up. Thank you