Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 813270 (CVE-2021-22945, CVE-2021-22946, CVE-2021-22947) - <net-misc/curl-7.79.0: Multiple vulnerabilities (CVE-2021-{22945,22946,22947})
Summary: <net-misc/curl-7.79.0: Multiple vulnerabilities (CVE-2021-{22945,22946,22947})
Status: IN_PROGRESS
Alias: CVE-2021-22945, CVE-2021-22946, CVE-2021-22947
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A2 [glsa? cleanup]
Keywords:
Depends on: 814485
Blocks:
  Show dependency tree
 
Reported: 2021-09-16 00:54 UTC by Sam James
Modified: 2021-10-03 00:53 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2021-09-16 00:54:56 UTC
Fixed in 7.79.0:
    CVE-2021-22945: clear the leftovers pointer when sending succeeds
    CVE-2021-22946: do not ignore --ssl-reqd
    CVE-2021-22947: reject STARTTLS server response pipelining
Comment 1 Larry the Git Cow gentoo-dev 2021-09-18 03:01:20 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9886665e4f3d22da1d722509fd5de9000a36d4d6

commit 9886665e4f3d22da1d722509fd5de9000a36d4d6
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-09-18 02:52:49 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-09-18 02:52:49 +0000

    net-misc/curl: add 7.79.0
    
    Bug: https://bugs.gentoo.org/813270
    Signed-off-by: Sam James <sam@gentoo.org>

 net-misc/curl/Manifest                             |   1 +
 net-misc/curl/curl-7.79.0.ebuild                   | 293 +++++++++++++++++++++
 .../curl-7.79.0-http-3digit-response-code.patch    | 107 ++++++++
 .../files/curl-7.79.0-http2-connection-data.patch  |  43 +++
 4 files changed, 444 insertions(+)
Comment 2 Larry the Git Cow gentoo-dev 2021-09-18 04:22:55 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bc195c961bbf981a8368f108fa33ae38e4a9e1e8

commit bc195c961bbf981a8368f108fa33ae38e4a9e1e8
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-09-18 04:21:34 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-09-18 04:22:39 +0000

    net-misc/curl: drop test case for response code
    
    Fails for now, but keeping an eye upstream.
    
    Bug: https://bugs.gentoo.org/813270
    Signed-off-by: Sam James <sam@gentoo.org>

 .../curl-7.79.0-http-3digit-response-code.patch    | 60 ----------------------
 1 file changed, 60 deletions(-)
Comment 3 Sam James archtester gentoo-dev Security 2021-09-18 04:28:22 UTC
Not going to stable until at least patch release on Wednesday: https://github.com/curl/curl/issues/7738#issuecomment-922028899
Comment 4 Anthony Basile gentoo-dev 2021-09-23 11:33:50 UTC
(In reply to Sam James from comment #3)
> Not going to stable until at least patch release on Wednesday:
> https://github.com/curl/curl/issues/7738#issuecomment-922028899

7.79.1 is now on the tree and includes both back ported patches that are in 7.79.0.

    curl-7.79.0-http2-connection-data.patch
    curl-7.79.0-http-3digit-response-code.patch
Comment 5 John Helmert III gentoo-dev Security 2021-10-03 00:53:33 UTC
Please cleanup