Issue metadata
Sign in to add a comment
|
CrOS: Vulnerability reported in net-misc/curl |
||||||||||||||||||||
Issue descriptionAutomated analysis has detected that the following third party packages have had vulnerabilities publicly reported. NOTE: There may be several bugs listed below - in almost all cases, all bugs can be quickly addressed by upgrading to the latest version of the package. Package Name: net-misc/curl Package Version: [cpe:/a:curl:curl:7.51.0 cpe:/a:curl:libcurl:7.51.0 cpe:/a:haxx:curl:7.51.0 cpe:/a:haxx:libcurl:7.51.0] Advisory: CVE-2017-1000101 Details: https://vomit.googleplex.com/advisory?id=CVE/CVE-2017-1000101 CVSS severity score: 4.3/10.0 Confidence: high Description: curl supports "globbing" of URLs, in which a user can pass a numerical range to have the tool iterate over those numbers to do a sequence of transfers. In the globbing function that parses the numerical range, there was an omission that made curl read a byte beyond the end of the URL if given a carefully crafted, or just wrongly written, URL. The URL is stored in a heap based buffer, so it could then be made to wrongly read something else instead of crashing. An example of a URL that triggers the flaw would be `http://ur%20[0-60000000000000000000`.
,
Oct 24 2017
Looks like we have some dependencies on curl:
app-admin/rsyslog-8.22.0-r1 (elasticsearch ? >=net-misc/curl-7.35.0)
(omhttpfs ? >=net-misc/curl-7.35.0)
app-crypt/gnupg-1.4.15 (curl ? net-misc/curl)
app-text/poppler-0.33.0-r1 (curl ? net-misc/curl)
chromeos-base/crash-reporter-0.0.1-r2403 (net-misc/curl)
chromeos-base/dev-install-0.0.1-r939 (net-misc/curl)
chromeos-base/google-breakpad-2017.09.27.204616-r128 (net-misc/curl)
chromeos-base/libbrillo-0.0.1-r938 (net-misc/curl)
chromeos-base/update_engine-0.0.3-r2802 (net-misc/curl)
dev-util/shunit2-2.1.6 (net-misc/curl)
dev-vcs/git-2.13.5 (curl ? net-misc/curl)
net-dialup/ppp-2.4.6-r7 (eap-tls ? net-misc/curl)
net-vpn/strongswan-5.5.3-r2 (curl ? net-misc/curl)
However I haven't yet been able to check whether they depend on libcurl or on the curl executable, and whether this bug affects both.
At the same time, I don't think we're passing uncontrolled URLs to curl from those dependencies so this can likely stay P2. We'll try to fix for M64.
,
Dec 19 2017
,
Jan 30 2018
On Dec 4th, Mattias upgraded curl to 7.57.0. commit 41583aa6c4a450ead8fa5c05dcca4704569d194f Author: Mattias Nissler <mnissler@chromium.org> Date: Mon Dec 4 15:08:05 2017 +0100 net-misc/curl: Uprev to 7.57.0 from upstream BUG= chromium:789479 TEST=Compiles and passes tests.
,
Jan 30 2018
Am I understanding the CVE correctly that it affects up to 7.55.X? https://nvd.nist.gov/vuln/detail/CVE-2017-1000101
,
Jan 30 2018
i don't think this is blocked on the portage upgrade (although w/out it, upgrading probably requires doing it by hand)
,
Jan 30 2018
We currently are on 7.57 so if the CVE really only affects up to 7.55, we aren't affected.
,
Jan 30 2018
I decided to check the libcurl source to verify. Tag 7.57 has a commit addressing the CVE: commit 453e7a7a03a2cec749abd3878a48e728c515cca7 Author: Daniel Stenberg <daniel@haxx.se> Date: Tue Aug 1 17:16:07 2017 +0200 glob: do not continue parsing after a strtoul() overflow range Added test 1289 to verify. CVE-2017-1000101 Bug: https://curl.haxx.se/docs/adv_20170809A.html Reported-by: Brian Carpenter
,
Feb 8 2018
,
May 9 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by tsepez@chromium.org
, Oct 23 2017Status: Started (was: Untriaged)