Bug#742728: curl: CVE-2014-0138 CVE-2014-0139
On mer, mar 26, 2014 at 06:50:41 +0100, Salvatore Bonaccorso wrote: Package: curl Version: 7.21.0-1 Severity: grave Tags: security upstream fixed-upstream Hi Alessandro, For having this referenced also in the Debian BTS, the following vulnerabilities were published for curl. CVE-2014-0138[0]: libcurl wrong re-use of connections CVE-2014-0139[1]: libcurl IP address wildcard certificate validation Here are the (old)stable debdiffs (better late than nothing, I guess... I had troubles adapting the patches for the older releases :/). Cheers -- perl -E '$_=q;$/= @{[@_]};and s;\S+;inidehG ordnasselA;eg;say~~reverse' diff -Nru curl-7.21.0/debian/changelog curl-7.21.0/debian/changelog --- curl-7.21.0/debian/changelog 2014-01-29 19:17:17.0 +0100 +++ curl-7.21.0/debian/changelog 2014-04-09 19:48:14.0 +0200 @@ -1,3 +1,15 @@ +curl (7.21.0-2.1+squeeze8) squeeze-security; urgency=medium + + * Fix multiple security issues (Closes: #742728): +- Fix connection re-use when using different log-in credentials + as per CVE-2014-0138 + http://curl.haxx.se/docs/adv_20140326A.html +- Reject IP address wildcard matches as per CVE-2014-0139 + http://curl.haxx.se/docs/adv_20140326B.html + * Set urgency=high accordingly + + -- Alessandro Ghedini gh...@debian.org Wed, 09 Apr 2014 19:47:38 +0200 + curl (7.21.0-2.1+squeeze7) squeeze-security; urgency=high * Fix re-use of wrong HTTP NTLM connection as per CVE-2014-0015 diff -Nru curl-7.21.0/debian/patches/CVE-2014-0138.patch curl-7.21.0/debian/patches/CVE-2014-0138.patch --- curl-7.21.0/debian/patches/CVE-2014-0138.patch 1970-01-01 01:00:00.0 +0100 +++ curl-7.21.0/debian/patches/CVE-2014-0138.patch 2014-04-09 19:48:14.0 +0200 @@ -0,0 +1,58 @@ +Description: Fix connection re-use when using different log-in credentials + In addition to FTP, other connection based protocols such as IMAP, POP3, + SMTP, SCP, SFTP and LDAP require a new connection when different log-in + credentials are specified. Fixed the detection logic to include these + other protocols. +Origin: upstream, http://curl.haxx.se/libcurl-bad-reuse.patch +Forwarded: not-needed +Author: Steve Holme steve_ho...@hotmail.com +Last-Update: 2014-04-09 + +--- a/lib/http.c b/lib/http.c +@@ -162,7 +162,7 @@ + ZERO_NULL,/* perform_getsock */ + ZERO_NULL,/* disconnect */ + PORT_HTTPS, /* defport */ +- PROT_HTTP | PROT_HTTPS | PROT_SSL /* protocol */ ++ PROT_HTTP | PROT_HTTPS | PROT_SSL | PROTOPT_CREDSPERREQUEST/* protocol */ + }; + #endif + +--- a/lib/url.c b/lib/url.c +@@ -2986,11 +2986,11 @@ + continue; + } + } +-if((needle-protocol PROT_FTP) || ++if((!(needle-protocol PROTOPT_CREDSPERREQUEST)) || +((needle-protocol PROT_HTTP) + (data-state.authhost.want CURLAUTH_NTLM))) { +- /* This is FTP or HTTP+NTLM, verify that we're using the same name +- and password as well */ ++ /* This protocol requires credentials per connection or is HTTP+NTLM, ++ so verify that we're using the same name and password as well */ + if(!strequal(needle-user, check-user) || + !strequal(needle-passwd, check-passwd)) { + /* one of them was different */ +--- a/lib/urldata.h b/lib/urldata.h +@@ -721,6 +721,8 @@ + #define PROT_EXTMASK 0xff + + #define PROT_SSL (129) /* protocol requires SSL */ ++#define PROTOPT_CREDSPERREQUEST (130) /* requires login creditials per request ++ as opposed to per connection */ + + /* these ones need action before socket close */ + #define PROT_CLOSEACTION (PROT_FTP | PROT_IMAP | PROT_POP3) +--- a/tests/data/DISABLED b/tests/data/DISABLED +@@ -2,5 +2,6 @@ + # test cases are run by runtests.pl. Just add the plain test case numbers, one + # per line. + # Lines starting with '#' letters are treated as comments. ++519 + 563 + 564 diff -Nru curl-7.21.0/debian/patches/CVE-2014-0139.patch curl-7.21.0/debian/patches/CVE-2014-0139.patch --- curl-7.21.0/debian/patches/CVE-2014-0139.patch 1970-01-01 01:00:00.0 +0100 +++ curl-7.21.0/debian/patches/CVE-2014-0139.patch 2014-04-09 19:48:14.0 +0200 @@ -0,0 +1,40 @@ +Description: Reject IP address wildcard matches + There are server certificates used with IP address in the CN field, but + we MUST not allow wildcard certs for hostnames given as IP addresses + only. Therefore we must make Curl_cert_hostcheck() fail such attempts. +Origin: upstream, http://curl.haxx.se/libcurl-reject-cert-ip-wildcards.patch +Forwarded: not-needed +Author: Daniel Stenberg dan...@haxx.se +Last-Update: 2014-04-09 + +--- a/lib/ssluse.c b/lib/ssluse.c +@@ -53,6 +53,7 @@ + #include select.h + #include sslgen.h + #include rawstr.h ++#include inet_pton.h + + #define _MPRINTF_REPLACE /* use the internal
Bug#742728: curl: CVE-2014-0138 CVE-2014-0139
On Thu, Apr 10, 2014 at 12:01:03PM +0200, Alessandro Ghedini wrote: On mer, mar 26, 2014 at 06:50:41 +0100, Salvatore Bonaccorso wrote: Package: curl Version: 7.21.0-1 Severity: grave Tags: security upstream fixed-upstream Hi Alessandro, For having this referenced also in the Debian BTS, the following vulnerabilities were published for curl. CVE-2014-0138[0]: libcurl wrong re-use of connections CVE-2014-0139[1]: libcurl IP address wildcard certificate validation Here are the (old)stable debdiffs (better late than nothing, I guess... I had troubles adapting the patches for the older releases :/). If this now passes the test suite, please upload. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#742728: curl: CVE-2014-0138 CVE-2014-0139
On gio, apr 10, 2014 at 12:47:39 +0200, Moritz Muehlenhoff wrote: On Thu, Apr 10, 2014 at 12:01:03PM +0200, Alessandro Ghedini wrote: On mer, mar 26, 2014 at 06:50:41 +0100, Salvatore Bonaccorso wrote: Package: curl Version: 7.21.0-1 Severity: grave Tags: security upstream fixed-upstream Hi Alessandro, For having this referenced also in the Debian BTS, the following vulnerabilities were published for curl. CVE-2014-0138[0]: libcurl wrong re-use of connections CVE-2014-0139[1]: libcurl IP address wildcard certificate validation Here are the (old)stable debdiffs (better late than nothing, I guess... I had troubles adapting the patches for the older releases :/). If this now passes the test suite, please upload. Well, it passes the test suite only because the broken test was disabled, but it can't be helped (the alternative would be enabling the fork() support in the server used for testing, but that may introduce more breakage). SUSE has done the same thing (in fact the SUSE maintainer suggested this) and upstream says it should be safe (in fact, the fact that the disabled test freezes is probably a good sign, since it means that the patch does what it's supposed to). Anyway, uploaded. Cheers -- perl -E '$_=q;$/= @{[@_]};and s;\S+;inidehG ordnasselA;eg;say~~reverse' signature.asc Description: Digital signature
Bug#742728: curl: CVE-2014-0138 CVE-2014-0139
Hi Alessandro, On Thu, Apr 10, 2014 at 01:38:37PM +0200, Alessandro Ghedini wrote: On gio, apr 10, 2014 at 12:47:39 +0200, Moritz Muehlenhoff wrote: On Thu, Apr 10, 2014 at 12:01:03PM +0200, Alessandro Ghedini wrote: On mer, mar 26, 2014 at 06:50:41 +0100, Salvatore Bonaccorso wrote: Package: curl Version: 7.21.0-1 Severity: grave Tags: security upstream fixed-upstream Hi Alessandro, For having this referenced also in the Debian BTS, the following vulnerabilities were published for curl. CVE-2014-0138[0]: libcurl wrong re-use of connections CVE-2014-0139[1]: libcurl IP address wildcard certificate validation Here are the (old)stable debdiffs (better late than nothing, I guess... I had troubles adapting the patches for the older releases :/). If this now passes the test suite, please upload. Well, it passes the test suite only because the broken test was disabled, but it can't be helped (the alternative would be enabling the fork() support in the server used for testing, but that may introduce more breakage). SUSE has done the same thing (in fact the SUSE maintainer suggested this) and upstream says it should be safe (in fact, the fact that the disabled test freezes is probably a good sign, since it means that the patch does what it's supposed to). Anyway, uploaded. Thanks for your uploads. Will try to have a look at them in the weekend and release the packages. Both arrived in any case to security-master and builds are done. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#742728: curl: CVE-2014-0138 CVE-2014-0139
Package: curl Version: 7.21.0-1 Severity: grave Tags: security upstream fixed-upstream Hi Alessandro, For having this referenced also in the Debian BTS, the following vulnerabilities were published for curl. CVE-2014-0138[0]: libcurl wrong re-use of connections CVE-2014-0139[1]: libcurl IP address wildcard certificate validation If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities Exposures) ids in your changelog entry. For further information see: [0] http://security-tracker.debian.org/tracker/CVE-2014-0138 [1] http://security-tracker.debian.org/tracker/CVE-2014-0139 Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org