New issue
Advanced search Search tips

Issue 653748 link

Starred by 1 user
Status: Fixed
Owner:
vapier@chromium.org
Closed: Oct 2016
Cc:
vapier@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 2
Type: Bug-Security



Sign in to add a comment

Security: uprev libcurl to 7.50.3

Project Member Reported by de...@chromium.org, Oct 7 2016 
VULNERABILITY DETAILS

The ToT version of curl is at 7.49.1 which is affected by the last 5 CVEs in this page:
https://curl.haxx.se/docs/security.html

libcurl is used by update_engine to fetch the updates from Omaha. Looking at the usage of libcurl in update_engine (the list of certs is fixed and different from chrome; the usage pattern of libcurl is fixed in libcurl_http_fetcher.cc) I *think* we are not vulnerable to the problems stated in those CVEs, but I haven't look at all the details. An update to 7.50.3 would be recommended.

VERSION
Operating System: Chrome OS

Comment 1 by tsepez@chromium.org, Oct 7 2016

Components: Internals>Installer
Labels: M-55 Security_Severity-Low Security_Impact-Stable Pri-2
Severity low based upon comment in original description.

Comment 2 by tsepez@chromium.org, Oct 7 2016 

deymo, do you have a suggested owner for this?

Comment 3 by vapier@chromium.org, Oct 7 2016

Owner: vapier@chromium.org
i've posted a CL for review

Comment 4 by tsepez@chromium.org, Oct 7 2016

Status: Assigned (was: Unconfirmed)

Comment 5 by tsepez@chromium.org, Oct 7 2016 

Thanks for the update.
Project Member

Comment 6 by bugdroid1@chromium.org, Oct 9 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/overlays/portage-stable/+/b17710cff7789a9aab3dfe4d966fb6e4fba0b113

commit b17710cff7789a9aab3dfe4d966fb6e4fba0b113
Author: Mike Frysinger <vapier@chromium.org>
Date: Fri Oct 07 03:19:06 2016

curl: upgraded package to upstream

Upgraded net-misc/curl to version 7.50.3 for all.

BUG= chromium:653748 
TEST=precq passes

Change-Id: I32b5158643afaa4891e4f128d6c1aee958e9a34f
Reviewed-on: https://chromium-review.googlesource.com/395146
Commit-Ready: Mike Frysinger <vapier@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
Reviewed-by: Alex Deymo <deymo@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>

[rename] https://crrev.com/b17710cff7789a9aab3dfe4d966fb6e4fba0b113/net-misc/curl/curl-7.50.3.ebuild
[modify] https://crrev.com/b17710cff7789a9aab3dfe4d966fb6e4fba0b113/net-misc/curl/Manifest
[modify] https://crrev.com/b17710cff7789a9aab3dfe4d966fb6e4fba0b113/net-misc/curl/metadata.xml

Comment 7 by vapier@chromium.org, Oct 10 2016

Labels: Merge-Request-55
i'll request for M55 since it just branched.  not sure we need to go back to M54 or older.
Project Member

Comment 8 by sheriffbot@chromium.org, Oct 10 2016

Status: Fixed (was: Assigned)
Please mark security bugs as fixed as soon as the fix lands, and before requesting merges. This update is based on the merge- labels applied to this issue. Please reopen if this update was incorrect.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 9 by dimu@chromium.org, Oct 10 2016

Labels: -Merge-Request-55 Merge-Approved-55 Hotlist-Merge-Approved
Your change meets the bar and is auto-approved for M55 (branch: 2883)
Project Member

Comment 10 by bugdroid1@chromium.org, Oct 11 2016

Labels: merge-merged-release-R55-8872.B
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/overlays/portage-stable/+/0fe4414f48461c7b2916ac31bfd2a92b3111f477

commit 0fe4414f48461c7b2916ac31bfd2a92b3111f477
Author: Mike Frysinger <vapier@chromium.org>
Date: Fri Oct 07 03:19:06 2016

curl: upgraded package to upstream

Upgraded net-misc/curl to version 7.50.3 for all.

BUG= chromium:653748 
TEST=precq passes

Previously-Reviewed-on: https://chromium-review.googlesource.com/395146
(cherry picked from commit b17710cff7789a9aab3dfe4d966fb6e4fba0b113)

Change-Id: Ie30754fa9bc3e315ffaf61d53dcfa1a3cb1be6e8
Reviewed-on: https://chromium-review.googlesource.com/396360
Reviewed-by: Mike Frysinger <vapier@chromium.org>
Commit-Queue: Mike Frysinger <vapier@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>

[rename] https://crrev.com/0fe4414f48461c7b2916ac31bfd2a92b3111f477/net-misc/curl/curl-7.50.3.ebuild
[modify] https://crrev.com/0fe4414f48461c7b2916ac31bfd2a92b3111f477/net-misc/curl/Manifest
[modify] https://crrev.com/0fe4414f48461c7b2916ac31bfd2a92b3111f477/net-misc/curl/metadata.xml
Project Member

Comment 11 by sheriffbot@chromium.org, Oct 11 2016

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 12 by sheriffbot@chromium.org, Oct 14 2016 

This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 13 by vapier@chromium.org, Oct 14 2016

Labels: -Hotlist-Merge-Approved -Merge-Approved-55
Project Member

Comment 14 by sheriffbot@chromium.org, Jan 16 2017

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 15 by dchan@google.com, Apr 17 2017

Labels: VerifyIn-59

Comment 16 by dchan@google.com, May 30 2017

Labels: VerifyIn-60

Comment 17 by dchan@chromium.org, Aug 1 2017

Labels: VerifyIn-61

Comment 18 by dchan@chromium.org, Oct 14 2017

Status: Archived (was: Fixed)

Comment 19 by vapier@chromium.org, Jun 21 2018

Status: Fixed (was: Archived)

Sign in to add a comment