Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 597760 (CVE-2016-8615, CVE-2016-8616, CVE-2016-8617, CVE-2016-8618, CVE-2016-8619, CVE-2016-8620, CVE-2016-8621, CVE-2016-8622, CVE-2016-8623, CVE-2016-8624, CVE-2016-8625) - <net-misc/curl-7.51.0: Multiple vulnerabilities
Summary: <net-misc/curl-7.51.0: Multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2016-8615, CVE-2016-8616, CVE-2016-8617, CVE-2016-8618, CVE-2016-8619, CVE-2016-8620, CVE-2016-8621, CVE-2016-8622, CVE-2016-8623, CVE-2016-8624, CVE-2016-8625
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://curl.haxx.se/mail/lib-2016-10...
Whiteboard: A2 [glsa cve]
Keywords:
Depends on: 581034 CVE-2016-9586
Blocks:
  Show dependency tree
 
Reported: 2016-10-22 10:07 UTC by Kristian Fiskerstrand
Modified: 2017-01-19 19:29 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Kristian Fiskerstrand gentoo-dev Security 2016-10-22 10:07:46 UTC
An alert on the upcoming 7.51.0 release

    This message: [ Message body ] [ More options ]
    Related messages: [ Next message ] [ Previous message ] [ Next in thread ] [ Replies ]

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Wed, 19 Oct 2016 00:30:38 +0200 (CEST)

Hi friends,

In two weeks time, on Wednesday November 2nd, we will release curl and libcurl
7.51.0 unless something earth shattering happens.

This release will bundle no less than _eleven_ security advisories and their
associated fixes (unless we get more reported in the time we have left). Each
individual security issue will be documented in detail in their own advisories
as usual and sent out as separate emails and get documented on the curl web
site. Chances are big several of these affects your use of curl.

We have never before handled anywhere close to this many security problems in
a single release. We have notified both Apple and distros_at_openwall so the
major distributions should be aware of what's coming.

Merging eleven previously non-disclosed branches into master just before a
release is not ideal but done so to minimize the security impact on existing
users when the problems get known. My plan is to merge them all into master
and push around 48 hours before release, watch the autobuilds closesly, have a
few extra coverity scans done and then fix up what's found before the release.

I will also prepare to do a follow-up patch release within the following week
if we find serious enough problems in the shipped product.
Comment 1 Hanno Böck gentoo-dev 2016-11-02 09:40:03 UTC
It's there:
https://curl.haxx.se/changes.html#7_51_0

CVE-2016-8615: cookie injection for other servers
CVE-2016-8616: case insensitive password comparison
CVE-2016-8617: OOB write via unchecked multiplication
CVE-2016-8618: double-free in curl_maprintf
CVE-2016-8619: double-free in krb5 code
CVE-2016-8620: glob parser write/read out of bounds
CVE-2016-8621: curl_getdate read out of bounds
CVE-2016-8622: URL unescape heap overflow via integer truncation
CVE-2016-8623: Use-after-free via shared cookies
CVE-2016-8624: invalid URL parsing with '#'
CVE-2016-8625: IDNA 2003 makes curl use wrong host

Maintainers, please bump to 7.51.0.
Comment 2 Anthony Basile gentoo-dev 2016-11-02 22:36:20 UTC
(In reply to Hanno Boeck from comment #1)
> 
> Maintainers, please bump to 7.51.0.

Unfortunately its not an easy bump since curl-7.50.3 depended on libidn and curl-7.51.0 depends on libidn2.  I'm getting the latter ready and hopefully we can rapid keyword/stabilize, or else just mask idn for now.
Comment 3 Jeroen Roovers gentoo-dev 2016-11-03 12:43:26 UTC
Stable for HPPA PPC64.
Comment 4 Jeroen Roovers gentoo-dev 2016-11-03 12:44:18 UTC
commit 802d574601a5cb10eb43aa715e9d030959004da7
Author: Jeroen Roovers <jer@gentoo.org>
Date:   Thu Nov 3 13:43:04 2016 +0100

    net-misc/curl: Stable for HPPA PPC64 (bug #598856).

    Package-Manager: portage-2.3.2
    RepoMan-Options: --ignore-arches

I referred to the wrong bug, there.
Comment 5 Kristian Fiskerstrand gentoo-dev Security 2016-11-04 08:33:52 UTC
This comment relates to CVE-2016-8625: IDNA 2003 makes curl use wrong host 
Using libidn2 is insufficient fix as there are potential for mismatches between IDNA 2003 and IDNA 2008

Upstream maintainer advice would suggest use.stable.masking idn for curl at the present time.
http://www.openwall.com/lists/oss-security/2016/11/04/6:
Date: Fri, 4 Nov 2016 08:27:43 +0100 (CET)
From: Daniel Stenberg <daniel@...x.se>:
I've suggested curl users to simply *disable* IDN completely in their builds 
now until we get something better done. To reduce the risk. There's no 
schedule or plan yet for when "something better" might be ready. I'll admit my 
energy level for this crap is very low.
Comment 6 Anthony Basile gentoo-dev 2016-12-21 16:47:47 UTC
@teams: alpha arm64 hppa ia64 m68k s390 sh sparc  You'll want to keyword and stabilize this package and its dependencies.  Sorry you should probably have been added earlier.

@prefix you may want to restore prefixes too.
Comment 7 Tobias Klausmann gentoo-dev 2016-12-21 19:35:14 UTC
Stable on alpha.
Comment 8 Tobias Klausmann gentoo-dev 2016-12-21 19:46:33 UTC
Also stable on amd64. Somehow O.o
Comment 9 Kristian Fiskerstrand gentoo-dev Security 2016-12-21 19:50:10 UTC
(In reply to Anthony Basile from comment #6)
> @teams: alpha arm64 hppa ia64 m68k s390 sh sparc  You'll want to keyword and
> stabilize this package and its dependencies.  Sorry you should probably have
> been added earlier.

Please be advised that bug 603370 re security vuln in lover version than 7.52.0 supersedes this report
Comment 10 Anthony Basile gentoo-dev 2016-12-21 20:15:27 UTC
(In reply to Kristian Fiskerstrand from comment #9)
> (In reply to Anthony Basile from comment #6)
> > @teams: alpha arm64 hppa ia64 m68k s390 sh sparc  You'll want to keyword and
> > stabilize this package and its dependencies.  Sorry you should probably have
> > been added earlier.
> 
> Please be advised that bug 603370 re security vuln in lover version than
> 7.52.0 supersedes this report

I am aware, which is why I want the keywords at least in so I can forward migrate them.
Comment 11 Fabian Groffen gentoo-dev 2016-12-22 08:36:49 UTC
Prefix keywords restored, x86-interix dropped.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2017-01-19 19:29:31 UTC
This issue was resolved and addressed in
 GLSA 201701-47 at https://security.gentoo.org/glsa/201701-47
by GLSA coordinator Thomas Deutschmann (whissi).