Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 626776 (CVE-2017-1000099, CVE-2017-1000100, CVE-2017-1000101) - <net-misc/curl-7.55.1: Multiple vulnerabilities
Summary: <net-misc/curl-7.55.1: Multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2017-1000099, CVE-2017-1000100, CVE-2017-1000101
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://curl.haxx.se/docs/adv_2017080...
Whiteboard: A4 [glsa cve]
Keywords:
Depends on: 629562
Blocks: CVE-2017-7407 CVE-2017-7468
  Show dependency tree
 
Reported: 2017-08-01 11:36 UTC by Kristian Fiskerstrand (RETIRED)
Modified: 2017-09-17 21:18 UTC (History)
1 user (show)

See Also:
Package list:
net-misc/curl-7.55.1
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Kristian Fiskerstrand (RETIRED) gentoo-dev 2017-08-01 11:36:25 UTC
*** EMBARGOED CRD 2017-08-09 ***
Curl 7.55.0 will be released on August 9th containing fixes for multiple vulnerabilities.
Comment 2 Kristian Fiskerstrand (RETIRED) gentoo-dev 2017-08-09 07:18:01 UTC
CVE-2017-1000101 curl: URL globbing out of bounds read 
CVE-2017-1000100 curl: TFTP sends more than buffer size 
CVE-2017-1000099 curl: FILE buffer read out of bounds
Comment 3 Anthony Basile gentoo-dev 2017-08-10 10:06:49 UTC
Its in the tree.  KEYWORDS for stable arches are "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
Comment 4 Sergei Trofimovich (RETIRED) gentoo-dev 2017-08-11 22:13:52 UTC
ia64 stable
Comment 5 Richard Freeman gentoo-dev 2017-08-19 20:55:02 UTC
amd64 stable
Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev 2017-08-20 16:59:46 UTC
x86 stable
Comment 7 Markus Meier gentoo-dev 2017-08-23 04:57:26 UTC
arm stable
Comment 8 Matt Turner gentoo-dev 2017-08-25 22:35:10 UTC
alpha stable
Comment 9 Anthony Basile gentoo-dev 2017-09-02 02:17:45 UTC
i had to stabilize 7.55.1 on ppc because of bug #629562.
Comment 10 Anthony Basile gentoo-dev 2017-09-02 02:22:22 UTC
stable on ppc64
Comment 11 Aaron Bauman (RETIRED) gentoo-dev 2017-09-02 02:23:38 UTC
CC'ing arches again for 7.55.1
Comment 12 Sergei Trofimovich (RETIRED) gentoo-dev 2017-09-02 11:21:32 UTC
ia64 stable
Comment 13 Aaron Bauman (RETIRED) gentoo-dev 2017-09-02 22:09:24 UTC
amd64/x86 stable
Comment 14 Tobias Klausmann (RETIRED) gentoo-dev 2017-09-03 20:26:56 UTC
Stable on alpha.
Comment 15 Yury German Gentoo Infrastructure gentoo-dev 2017-09-03 21:17:35 UTC
GLSA Vote: Yes
New GLSA Request filed.

All remaining arches (sparc / arm / hppa) are not security supported. Please proceed with stabilization.
Comment 16 Yury German Gentoo Infrastructure gentoo-dev 2017-09-03 22:58:00 UTC
Maintainer(s), please drop the vulnerable version(s).
Comment 17 Markus Meier gentoo-dev 2017-09-05 04:40:18 UTC
arm stable
Comment 18 Aaron Bauman (RETIRED) gentoo-dev 2017-09-10 22:20:22 UTC
sparc was dropped to exp.

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b5901d8f716555a1479f12313a2925fcadd177a9
Comment 19 Sergei Trofimovich (RETIRED) gentoo-dev 2017-09-11 07:55:14 UTC
hppa/sparc stable (thanks to Dakon)

All arches are done here.
Comment 20 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-09-11 13:52:20 UTC
(In reply to Anthony Basile from comment #10)
> stable on ppc64

Keywords for net-misc/curl:
          |                                 |   u   |  
          | a a         p   a     n r     s |   n   |  
          | l m   h i   p   r m m i i s   p | e u s | r
          | p d a p a p c x m i 6 o s 3   a | a s l | e
          | h 6 r p 6 p 6 8 6 p 8 s c 9 s r | p e o | p
          | a 4 m a 4 c 4 6 4 s k 2 v 0 h c | i d t | o
----------+---------------------------------+-------+-------
   7.53.0 | + + + + + + + + + ~ + o o + + + | 6 o 0 | gentoo
   7.53.1 | ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ o o ~ ~ ~ | 6 #   | gentoo
   7.54.0 | ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ o o ~ ~ ~ | 6 #   | gentoo
   7.54.1 | + + + ~ + + + + ~ ~ ~ o o ~ ~ + | 6 #   | gentoo
   7.55.0 | + + + ~ + o + + ~ ~ ~ o o ~ ~ ~ | 6 o   | gentoo
[I]7.55.1 | + + + + + + ~ + ~ ~ ~ o o ~ ~ + | 6 o   | gentoo

@Maintainer, could you please confirm that ppc64 is stable? I can't find any commit in the log about that. After that, we need to clean the tree.

Thank you,

Gentoo Security Padawan
ChrisADR
Comment 21 Anthony Basile gentoo-dev 2017-09-11 15:37:30 UTC
(In reply to Christopher Díaz from comment #20)
> (In reply to Anthony Basile from comment #10)
> > stable on ppc64
> 
> @Maintainer, could you please confirm that ppc64 is stable? I can't find any
> commit in the log about that. After that, we need to clean the tree.
> 

I marked 7.55.1 stable on ppc64 and removed the vulnerable verins.
Comment 22 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-09-11 16:22:31 UTC
(In reply to Anthony Basile from comment #21)
> I marked 7.55.1 stable on ppc64 and removed the vulnerable verins.

Thank you very much, GLSA already requested.

Gentoo Security Padawan
ChrisADR
Comment 23 GLSAMaker/CVETool Bot gentoo-dev 2017-09-17 21:18:50 UTC
This issue was resolved and addressed in
 GLSA 201709-14 at https://security.gentoo.org/glsa/201709-14
by GLSA coordinator Aaron Bauman (b-man).