Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 603574 (CVE-2016-9594) - <net-misc/curl-7.52.1: uninitialized random
Summary: <net-misc/curl-7.52.1: uninitialized random
Status: RESOLVED FIXED
Alias: CVE-2016-9594
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL: https://curl.haxx.se/docs/adv_2016122...
Whiteboard: B3 [glsa cve]
Keywords:
Depends on: 581034 604104
Blocks: CVE-2016-9586
  Show dependency tree
 
Reported: 2016-12-23 12:11 UTC by Thomas Deutschmann (RETIRED)
Modified: 2017-02-01 22:44 UTC (History)
1 user (show)

See Also:
Package list:
=net-misc/curl-7.52.1-r1 =net-dns/libidn2-0.11
Runtime testing required: ---
kensington: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann (RETIRED) gentoo-dev 2016-12-23 12:11:31 UTC
uninitialized random
====================

Project curl Security Advisory, December 23, 2016 -
[Permalink](https://curl.haxx.se/docs/adv_20161223.html)

VULNERABILITY
-------------

libcurl's (new) internal function that returns a good 32bit random value was
implemented poorly and overwrote the pointer instead of writing the value into
the buffer the pointer pointed to.

This random value is used to generate nonces for Digest and NTLM
authentication, for generating boundary strings in HTTP formposts and
more. Having a weak or virtually non-existent random there makes these
operations vulnerable.

This function is brand new in 7.52.0 and is the result of an overhaul to make
sure libcurl uses strong random as much as possible - provided by the backend
TLS crypto libraries when present. The faulty function was introduced in [this
commit](https://github.com/curl/curl/commit/f682156a4fc6c43fb).

We are not aware of any exploit of this flaw.

INFO
----

This mistake managed to slip in because:

  1. It wasn't detected by manual code reviews

  2. When libcurl is built debug-enabled (which is often the case when libcurl
     developers build it), the bug doesn't trigger.

  3. When built without -g, the test suite's "valgrind output parser" wrongly
     ignored the valgrind output and with libcurl's standard build it is
     typically built without -g. Thus hiding this problem to most users.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2016-9594 to this issue.

AFFECTED VERSIONS
-----------------

This flaw exists in the following libcurl versions.

- Affected versions: libcurl 7.52.0 only
- Not affected versions: libcurl < 7.52.0 and libcurl >= 7.52.1

libcurl is used by many applications, but not always advertised as such!

THE SOLUTION
------------

In version 7.52.1, we fixed the function and we fixed the valgrind parser in
the test suite.

A [patch for CVE-2016-9594](https://curl.haxx.se/CVE-2016-9594.patch) is
available.

RECOMMENDATIONS
---------------

We suggest you take one of the following actions immediately, in order of
preference:

  A - Upgrade curl and libcurl to version 7.52.1

  B - Apply the patch to 7.52.0 and rebuild

TIME LINE
---------

It was first reported to the curl project on December 21 by Kamil Dudka.

We contacted distros@openwall on December 21.

curl 7.52.1 was released on December 23 2016, coordinated with the publication
of this advisory.

CREDITS
-------

Reported and patched by Kamil Dudka.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2016-12-23 14:47:31 UTC
@ Maintainer(s): Thank you for the bump!


@ Arches,

please test and mark stable: =net-misc/curl-7.52.1

Some arches still have to re-keyword curl itself _and_ =net-dns/libidn2-0.11 (including stabilization).
Comment 2 Aaron Bauman (RETIRED) gentoo-dev 2016-12-24 02:31:26 UTC
=net-dns/libidn2-0.11 is already stable on all stable arches.
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2016-12-24 06:57:22 UTC
amd64 stable
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2016-12-25 13:31:43 UTC
(In reply to Aaron Bauman from comment #2)
> =net-dns/libidn2-0.11 is already stable on all stable arches.

No, this bug also covers re-keywording of net-misc/curl. I.e. alpha, ia64 and sparc still have to re-keyword net-misc/curl (keywords were dropped when new =net-dns/libidn2 dependency was introduced), including net-dns/libidn2. See depending bug and large blocking history.
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2016-12-25 13:40:37 UTC
x86 stable
Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev 2016-12-30 01:19:07 UTC
Stopping stabilization due to upstream issue https://github.com/curl/curl/issues/1174

We will continue shortly after the rev bump including the patch landed in Gentoo repository.
Comment 7 Anthony Basile gentoo-dev 2016-12-30 01:49:03 UTC
(In reply to Thomas Deutschmann from comment #6)
> Stopping stabilization due to upstream issue
> https://github.com/curl/curl/issues/1174
> 
> We will continue shortly after the rev bump including the patch landed in
> Gentoo repository.

Okay let's restart with curl-7.52.1-r1.ebuild.  It fixes bug #604104.
Comment 8 Thomas Deutschmann (RETIRED) gentoo-dev 2016-12-30 01:53:43 UTC
@ Arches,

please test and mark stable: =net-misc/curl-7.52.1-r1

Some arches still have to re-keyword curl itself _and_ =net-dns/libidn2-0.11 (including stabilization).
Comment 9 Agostino Sarubbo gentoo-dev 2016-12-30 17:15:45 UTC
amd64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2016-12-30 17:16:17 UTC
x86 stable
Comment 11 Jeroen Roovers (RETIRED) gentoo-dev 2016-12-31 11:56:46 UTC
Stable for HPPA PPC64.
Comment 12 Tobias Klausmann (RETIRED) gentoo-dev 2017-01-05 12:36:36 UTC
Stable on alpha.
Comment 13 Markus Meier gentoo-dev 2017-01-08 18:36:03 UTC
arm stable
Comment 14 Agostino Sarubbo gentoo-dev 2017-01-15 16:05:01 UTC
ppc stable
Comment 15 Agostino Sarubbo gentoo-dev 2017-01-18 09:46:08 UTC
ia64 stable
Comment 16 Agostino Sarubbo gentoo-dev 2017-01-18 09:51:30 UTC
sparc stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 17 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-19 19:58:42 UTC
This issue was resolved and addressed in
 GLSA 201701-47 at https://security.gentoo.org/glsa/201701-47
by GLSA coordinator Thomas Deutschmann (whissi).



@ Maintainer(s): Please cleanup and drop <net-misc/curl-7.52.1!
Comment 18 Aaron Bauman (RETIRED) gentoo-dev 2017-01-24 04:37:41 UTC
https://github.com/gentoo/gentoo/pull/3614
Comment 19 Anthony Basile gentoo-dev 2017-02-01 14:40:04 UTC
I removed the vulnerable versions.