Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 737990 (CVE-2020-8231) - <net-misc/curl-7.72.0: May use wrong connection to submit data if CURLOPT_CONNECT_ONLY (CVE-2020-8231)
Summary: <net-misc/curl-7.72.0: May use wrong connection to submit data if CURLOPT_CON...
Status: RESOLVED FIXED
Alias: CVE-2020-8231
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://curl.haxx.se/docs/CVE-2020-82...
Whiteboard: A3 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-08-19 09:14 UTC by Sam James
Modified: 2020-12-23 20:20 UTC (History)
2 users (show)

See Also:
Package list:
net-misc/curl-7.72.0
Runtime testing required: ---
nattka: sanity-check-


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-19 09:14:52 UTC
Description:
"An application that performs multiple requests with libcurl's multi API and
sets the `CURLOPT_CONNECT_ONLY` option, might in rare circumstances experience
that when subsequently using the setup connect-only transfer, libcurl will
pick and use the wrong connection - and instead pick another one the
application has created since then.

[...]

The application could then accidentally send data over that connection which
wasn't at all intended for that recipient, entirely unknowingly."
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-19 09:15:17 UTC
Please bump to 7.72.0. Thanks!
Comment 2 Anthony Basile gentoo-dev 2020-08-19 16:49:54 UTC
(In reply to Sam James from comment #1)
> Please bump to 7.72.0. Thanks!

bumped
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-19 17:01:02 UTC
(In reply to Anthony Basile from comment #2)
> (In reply to Sam James from comment #1)
> > Please bump to 7.72.0. Thanks!
> 
> bumped

Thanks, let us know when ready to stable.
Comment 4 NATTkA bot gentoo-dev 2020-08-19 17:05:01 UTC Comment hidden (obsolete)
Comment 5 Anthony Basile gentoo-dev 2020-08-20 13:23:57 UTC
(In reply to NATTkA bot from comment #4)
> Sanity check failed:
> 
> > net-misc/curl-7.72.0
> >   depend hppa stable profile default/linux/hppa/17.0 (11 total)
> >     net-libs/mbedtls:0=
> >   rdepend hppa stable profile default/linux/hppa/17.0 (11 total)
> >     net-libs/mbedtls:0=

looks like httpa will either have to stabilize mbedtls or mask.

@sam It should be ready now.  Would you give a quick test at your end and start the process if it works for you --- I did test at my end, but two eyes are better than one.
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-20 13:27:00 UTC
(In reply to Anthony Basile from comment #5)
> @sam It should be ready now.  Would you give a quick test at your end and
> start the process if it works for you --- I did test at my end, but two eyes
> are better than one.

Of course. I'll get on it shortly and let you know.

BTW:
[18:30:50]  <@sam_> blueness_: I wonder if we need a 7.72.0-r1 for curl or something
[18:31:01]  <@sam_> to allow us to stabilise without the new curl use magic :/
[18:31:26]  <@sam_> I can do it if you want (kill -r0, -r1 without the magic which we stable soon, -r2 with curl use magic)
[18:31:52]  <@sam_> I only realised when Nattka complained about mbedtls
[18:31:53]  <@sam_> then it twigged.

If you're happy with the "new USE magic", we can just go with it provided it works fine on my machine.

For reference, the changes were committed on the 4th August, but I think all the issues were to do with LibreSSL which we shook out pretty quick. No more bugs as far as I see.
Comment 7 Anthony Basile gentoo-dev 2020-08-21 13:51:23 UTC
(In reply to Sam James from comment #6)
> (In reply to Anthony Basile from comment #5)
> > @sam It should be ready now.  Would you give a quick test at your end and
> > start the process if it works for you --- I did test at my end, but two eyes
> > are better than one.
> 
> Of course. I'll get on it shortly and let you know.
> 
> BTW:
> [18:30:50]  <@sam_> blueness_: I wonder if we need a 7.72.0-r1 for curl or
> something
> [18:31:01]  <@sam_> to allow us to stabilise without the new curl use magic
> :/
> [18:31:26]  <@sam_> I can do it if you want (kill -r0, -r1 without the magic
> which we stable soon, -r2 with curl use magic)
> [18:31:52]  <@sam_> I only realised when Nattka complained about mbedtls
> [18:31:53]  <@sam_> then it twigged.
> 
> If you're happy with the "new USE magic", we can just go with it provided it
> works fine on my machine.
> 
> For reference, the changes were committed on the 4th August, but I think all
> the issues were to do with LibreSSL which we shook out pretty quick. No more
> bugs as far as I see.

Let's go with the new USE magic.
Comment 8 Larry the Git Cow gentoo-dev 2020-08-31 02:55:11 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1c31fa4af24cf680de0b3c5b0764189ae224d000

commit 1c31fa4af24cf680de0b3c5b0764189ae224d000
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2020-08-31 02:54:08 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-08-31 02:54:53 +0000

    profiles/arch/{hppa, sparc}: stable-mask net-misc/curl[mbedtls]
    
    Bug: https://bugs.gentoo.org/737990
    Signed-off-by: Sam James <sam@gentoo.org>

 profiles/arch/hppa/package.use.stable.mask  | 2 +-
 profiles/arch/sparc/package.use.stable.mask | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)
Comment 9 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-31 02:55:54 UTC
(In reply to Anthony Basile from comment #7)
> (In reply to Sam James from comment #6)
[...]
> Let's go with the new USE magic.

Sorry for delay, wanted to check I was happy as per our IRC chat!
Comment 10 Thomas Deutschmann (RETIRED) gentoo-dev 2020-08-31 17:13:54 UTC
x86 stable
Comment 11 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-31 22:13:20 UTC
amd64 done
Comment 12 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-31 23:20:33 UTC
sparc done
Comment 13 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-31 23:21:59 UTC
arm done
Comment 14 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-31 23:23:11 UTC
arm64 done
Comment 15 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-09-04 00:21:25 UTC
ppc64 stable
Comment 16 Rolf Eike Beer archtester 2020-09-11 18:10:04 UTC
hppa stable
Comment 17 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-09-20 16:37:45 UTC
ppc, s390: ping
Comment 18 Agostino Sarubbo gentoo-dev 2020-10-12 15:20:34 UTC
s390 stable
Comment 19 Agostino Sarubbo gentoo-dev 2020-10-13 09:52:08 UTC
ppc stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 20 Thomas Deutschmann (RETIRED) gentoo-dev 2020-12-22 22:54:47 UTC
Added to an existing GLSA request.
Comment 21 NATTkA bot gentoo-dev 2020-12-22 22:57:01 UTC
Unable to check for sanity:

> no match for package: net-misc/curl-7.72.0
Comment 22 GLSAMaker/CVETool Bot gentoo-dev 2020-12-23 20:20:33 UTC
This issue was resolved and addressed in
 GLSA 202012-14 at https://security.gentoo.org/glsa/202012-14
by GLSA coordinator Thomas Deutschmann (whissi).