Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 547376 (CVE-2015-3143) - <net-misc/curl-7.42.0: Multiple vulnerabilities (CVE-2015-{3143,3144,3145,3148})
Summary: <net-misc/curl-7.42.0: Multiple vulnerabilities (CVE-2015-{3143,3144,3145,3148})
Status: RESOLVED FIXED
Alias: CVE-2015-3143
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A3 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-04-22 08:14 UTC by Kristian Fiskerstrand
Modified: 2015-09-24 16:51 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Anthony Basile gentoo-dev 2015-04-22 11:58:16 UTC
curl-7.42.0 is in the tree and ready for rapid stabilization:

KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
Comment 2 Jeroen Roovers gentoo-dev 2015-04-22 16:52:49 UTC
Stable for PPC64.
Comment 3 Jeroen Roovers gentoo-dev 2015-04-22 17:12:15 UTC
Stable for HPPA.
Comment 4 Agostino Sarubbo gentoo-dev 2015-04-23 11:18:08 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2015-04-23 11:18:49 UTC
x86 stable
Comment 6 Anthony Basile gentoo-dev 2015-04-25 14:15:50 UTC
stable on ppc
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2015-04-26 13:42:04 UTC
CVE-2015-3148 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3148):
  cURL and libcurl 7.10.6 through 7.41.0 does not properly re-use
  authenticated Negotiate connections, which allows remote attackers to
  connect as other users via a request.

CVE-2015-3145 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3145):
  The sanitize_cookie_path function in cURL and libcurl 7.31.0 through 7.41.0
  does not properly calculate an index, which allows remote attackers to cause
  a denial of service (out-of-bounds write and crash) or possibly have other
  unspecified impact via a cookie path containing only a double-quote
  character.

CVE-2015-3144 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3144):
  The fix_hostname function in cURL and libcurl 7.37.0 through 7.41.0 does not
  properly calculate an index, which allows remote attackers to cause a denial
  of service (out-of-bounds read or write and crash) or possibly have other
  unspecified impact via a zero-length host name, as demonstrated by
  "http://:80" and ":80."

CVE-2015-3143 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3143):
  cURL and libcurl 7.10.6 through 7.41.0 does not properly re-use NTLM
  connections, which allows remote attackers to connect as other users via an
  unauthenticated request, a similar issue to CVE-2014-0015.
Comment 8 Anthony Basile gentoo-dev 2015-04-26 16:30:57 UTC
stable for arm
Comment 9 Agostino Sarubbo gentoo-dev 2015-04-28 07:30:45 UTC
alpha stable
Comment 10 Agostino Sarubbo gentoo-dev 2015-04-28 07:47:24 UTC
ia64 stable
Comment 11 Agostino Sarubbo gentoo-dev 2015-04-29 09:19:55 UTC
sparc stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 12 Anthony Basile gentoo-dev 2015-04-29 11:04:06 UTC
(In reply to Agostino Sarubbo from comment #11)
> sparc stable.
> 
> Maintainer(s), please cleanup.
> Security, please add it to the existing request, or file a new one.

There is a new security release with 7.42.1.
Comment 13 Kristian Fiskerstrand gentoo-dev Security 2015-04-29 11:10:49 UTC
(In reply to Anthony Basile from comment #12)
> (In reply to Agostino Sarubbo from comment #11)
> > sparc stable.
> > 
> > Maintainer(s), please cleanup.
> > Security, please add it to the existing request, or file a new one.
> 
> There is a new security release with 7.42.1.

Please use a new bug for this if you want security tracking it. I saw the announcement and it seems limited in scope due to the usecase affected (header information leakage to proxy server if application does not set appropriately restrictive options), specifically: "If the application sets a custom HTTP header with sensitive content (e.g., authentication cookies) without changing the default, the proxy, and anyone who listens to the traffic between the application and the proxy, might get access to those values.

Note: this problem doesn't exist when using the `CURLOPT_COOKIE` option (or the '--cookie' option) or the HTTP auth options, which are always sent only to the destination server. "
Comment 14 Kristian Fiskerstrand gentoo-dev Security 2015-05-11 16:03:14 UTC
GLSA Vote: Yes, 
Note: additional related bugs; bug 548130 and bug 528840
Comment 15 Yury German Gentoo Infrastructure gentoo-dev Security 2015-05-11 20:13:53 UTC
Vote: Yes
New GLSA Request filed.

Maintainer(s), please drop the vulnerable version(s).
Comment 16 Yury German Gentoo Infrastructure gentoo-dev Security 2015-05-13 22:23:37 UTC
Maintainer(s), Thank you for you for cleanup.
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2015-09-24 16:51:13 UTC
This issue was resolved and addressed in
 GLSA 201509-02 at https://security.gentoo.org/glsa/201509-02
by GLSA coordinator Kristian Fiskerstrand (K_F).