Issue metadata
Sign in to add a comment
|
CrOS: Vulnerability reported in net-misc/curl |
||||||||||||||||||||||
Issue descriptionAutomated analysis has detected that the following third party packages have had vulnerabilities publicly reported. NOTE: There may be several bugs listed below - in almost all cases, all bugs can be quickly addressed by upgrading to the latest version of the package. Package Name: net-misc/curl Package Version: [cpe:/a:curl:curl:7.57.0 cpe:/a:curl:curl:7.58.0 cpe:/a:curl:libcurl:7.57.0 cpe:/a:curl:libcurl:7.58.0 cpe:/a:haxx:curl:7.57.0 cpe:/a:haxx:curl:7.58.0 cpe:/a:haxx:libcurl:7.57.0 cpe:/a:haxx:libcurl:7.58.0] Advisory: CVE-2018-1000300 Details: https://vomit.googleplex.com/advisory?id=CVE/CVE-2018-1000300 CVSS severity score: 7.5/10.0 Confidence: high Description: curl version curl 7.54.1 to and including curl 7.59.0 contains a CWE-122: Heap-based Buffer Overflow vulnerability in denial of service and more that can result in curl might overflow a heap based memory buffer when closing down an FTP connection with very long server command replies.. This vulnerability appears to have been fixed in curl < 7.54.1 and curl >= 7.60.0. Advisory: CVE-2018-1000301 Details: https://vomit.googleplex.com/advisory?id=CVE/CVE-2018-1000301 CVSS severity score: 6.4/10.0 Confidence: high Description: curl version curl 7.20.0 to and including curl 7.59.0 contains a CWE-126: Buffer Over-read vulnerability in denial of service that can result in curl can be tricked into reading data beyond the end of a heap based buffer used to store downloaded RTSP content.. This vulnerability appears to have been fixed in curl < 7.20.0 and curl >= 7.60.0.
,
Jun 29 2018
Sure, I'll try to get to that today. FWIW (since I'm not sure I can parse whether vomit is trying to figure out what version of curl we currently use?), we currently have 7.58.0 in ToT, which appears to be vulnerable.
,
Jun 29 2018
,
Jun 29 2018
Thank you!
,
Jun 30 2018
Still need to test more: https://chromium-review.googlesource.com/c/chromiumos/overlays/portage-stable/+/1121623 This tryjob, for instance, should validate some of the scenarios that curl upgrades had problems with previously: https://cros-goldeneye.corp.google.com/chromeos/healthmonitoring/buildDetails?buildbucketId=8942330590227190256
,
Jul 4
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/overlays/portage-stable/+/68b9f609425bf8f366cf452200bf437b4d247d49 commit 68b9f609425bf8f366cf452200bf437b4d247d49 Author: Brian Norris <briannorris@chromium.org> Date: Wed Jul 04 01:18:24 2018 curl: upgraded package to upstream Upgraded net-misc/curl to version 7.60.0 on amd64 Changed back to EAPI 5 (including eapply->epatch), to avoid problems bootstrapping our (old) early stage SDK tarballs. BUG= chromium:859032 TEST=chromiumos-sdk trybot; preCQ; a few manual tests Change-Id: Iabb6aefadfb9399ea23ed2bf925bd8ae2d2a92cb Signed-off-by: Brian Norris <briannorris@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/1121623 Reviewed-by: Mike Frysinger <vapier@chromium.org> [add] https://crrev.com/68b9f609425bf8f366cf452200bf437b4d247d49/net-misc/curl/files/curl-7.59.0-libressl-compatibility.patch [rename] https://crrev.com/68b9f609425bf8f366cf452200bf437b4d247d49/net-misc/curl/curl-7.60.0.ebuild [modify] https://crrev.com/68b9f609425bf8f366cf452200bf437b4d247d49/net-misc/curl/Manifest [rename] https://crrev.com/68b9f609425bf8f366cf452200bf437b4d247d49/metadata/md5-cache/net-misc/curl-7.60.0
,
Jul 10
+ Daniel, who was interested in a prompt backport for lakitu. I'm not sure if this is worth rushing for M-68. Barring others' objections, I'll call this fixed for M-69.
,
Jul 10
Thanks for the heads-up. 7.5 is a pretty high score and according to our CVE policy (go/cos-cve) we'd want to patch it all the way down to stable, that is 68, 67, 66 and 65 for lakitu. Though the curl website says "We are not aware of any exploit of this flaw", the SECTRACK thread says "A remote user can execute arbitrary code on the target system". For lakitu we are generally more cautious about remote attacks, and as a reference Ubuntu has patched their LTS versions down to 14.04 LTS. So unless the new version is disruptive to the rest of CrOS, I'd request a merge to the older branches.
,
Jul 10
,
Jul 10
This bug requires manual review: We are only 13 days from stable. Please contact the milestone owner if you have questions. Owners: cmasso@(Android), kariahda@(iOS), bhthompson@(ChromeOS), abdulsyed@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 10
,
Jul 10
Thanks. I couldn't change the owner myself. I'll make the cherrypicks. +bhthompson, for merge approvals.
,
Jul 10
Bernie is ooo until next week... +josafat, +kbleicher, can you take a look?
,
Jul 10
Note that we're done with M67 stable and earlier; no plans for merges there. Assume tests have been completed / verified for the 68 merge?
,
Jul 10
I will make the cherrypick CL and test for m68, and other branches for that matter. If CrOS is done with m67 and older, I guess there is less reason NOT to merge it, as long as we verify it works for lakitu.
,
Jul 10
CLs are out and tryjobs started. Will update once they are finished.
,
Jul 11
,
Jul 11
CLs passed chromiumos-sdk and lakitu-release on branches from 65 to 68. If not objection, I am going to merge them all - normally I'd wait for a m68 build before merging m67, but since CrOS is done with m67 any way, and lakitu-release has passed on them all, I'm going to skip the soak step.
,
Jul 11
ok to merge to older branches if Lakitu still using those
,
Jul 11
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/overlays/portage-stable/+/93870653aa5ec3a11bb78e18ae776183275e49f2 commit 93870653aa5ec3a11bb78e18ae776183275e49f2 Author: Brian Norris <briannorris@chromium.org> Date: Wed Jul 11 21:24:34 2018 curl: upgraded package to upstream Diff from original change: - Dropped the curl-7.59.0-libressl-compatibility.patch as it's not used in the 7.60 ebuild - Dropped the change of md5-cache. It should be taken care of by the commit bot I think? Upgraded net-misc/curl to version 7.60.0 on amd64 Changed back to EAPI 5 (including eapply->epatch), to avoid problems bootstrapping our (old) early stage SDK tarballs. BUG= chromium:859032 TEST=chromiumos-sdk trybot; preCQ; a few manual tests Change-Id: Iabb6aefadfb9399ea23ed2bf925bd8ae2d2a92cb Signed-off-by: Brian Norris <briannorris@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/1132327 Trybot-Ready: Daniel Wang <wonderfly@google.com> Reviewed-by: Mike Frysinger <vapier@chromium.org> Tested-by: Daniel Wang <wonderfly@google.com> Commit-Queue: Daniel Wang <wonderfly@google.com> [rename] https://crrev.com/93870653aa5ec3a11bb78e18ae776183275e49f2/net-misc/curl/curl-7.60.0.ebuild [modify] https://crrev.com/93870653aa5ec3a11bb78e18ae776183275e49f2/net-misc/curl/Manifest
,
Jul 11
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/overlays/portage-stable/+/210a5bc651a8ceffcb3a6c384de81103ebaa7791 commit 210a5bc651a8ceffcb3a6c384de81103ebaa7791 Author: Brian Norris <briannorris@chromium.org> Date: Wed Jul 11 21:24:36 2018 curl: upgraded package to upstream Upgraded net-misc/curl to version 7.60.0 on amd64 Changed back to EAPI 5 (including eapply->epatch), to avoid problems bootstrapping our (old) early stage SDK tarballs. BUG= chromium:859032 TEST=chromiumos-sdk trybot; preCQ; a few manual tests Change-Id: Iabb6aefadfb9399ea23ed2bf925bd8ae2d2a92cb Signed-off-by: Brian Norris <briannorris@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/1132414 Reviewed-by: Mike Frysinger <vapier@chromium.org> Commit-Queue: Daniel Wang <wonderfly@google.com> Tested-by: Daniel Wang <wonderfly@google.com> [rename] https://crrev.com/210a5bc651a8ceffcb3a6c384de81103ebaa7791/net-misc/curl/curl-7.60.0.ebuild [modify] https://crrev.com/210a5bc651a8ceffcb3a6c384de81103ebaa7791/net-misc/curl/Manifest
,
Jul 11
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/overlays/portage-stable/+/29504484431d19fc4b022cf0f084dd2d0da674d4 commit 29504484431d19fc4b022cf0f084dd2d0da674d4 Author: Brian Norris <briannorris@chromium.org> Date: Wed Jul 11 21:24:37 2018 curl: upgraded package to upstream Upgraded net-misc/curl to version 7.60.0 on amd64 Changed back to EAPI 5 (including eapply->epatch), to avoid problems bootstrapping our (old) early stage SDK tarballs. BUG= chromium:859032 TEST=chromiumos-sdk trybot; preCQ; a few manual tests Change-Id: Iabb6aefadfb9399ea23ed2bf925bd8ae2d2a92cb Reviewed-on: https://chromium-review.googlesource.com/1132387 Reviewed-by: Mike Frysinger <vapier@chromium.org> Commit-Queue: Daniel Wang <wonderfly@google.com> Tested-by: Daniel Wang <wonderfly@google.com> [rename] https://crrev.com/29504484431d19fc4b022cf0f084dd2d0da674d4/net-misc/curl/curl-7.60.0.ebuild [modify] https://crrev.com/29504484431d19fc4b022cf0f084dd2d0da674d4/net-misc/curl/Manifest
,
Jul 11
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/overlays/portage-stable/+/b2fc24e4a1ab451631526fecfd70e504cca9d7ff commit b2fc24e4a1ab451631526fecfd70e504cca9d7ff Author: Brian Norris <briannorris@chromium.org> Date: Wed Jul 11 21:24:39 2018 curl: upgraded package to upstream Upgraded net-misc/curl to version 7.60.0 on amd64 Changed back to EAPI 5 (including eapply->epatch), to avoid problems bootstrapping our (old) early stage SDK tarballs. BUG= chromium:859032 TEST=chromiumos-sdk trybot; preCQ; a few manual tests Change-Id: Iabb6aefadfb9399ea23ed2bf925bd8ae2d2a92cb Signed-off-by: Brian Norris <briannorris@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/1132391 Reviewed-by: Mike Frysinger <vapier@chromium.org> Commit-Queue: Daniel Wang <wonderfly@google.com> Tested-by: Daniel Wang <wonderfly@google.com> [rename] https://crrev.com/b2fc24e4a1ab451631526fecfd70e504cca9d7ff/net-misc/curl/curl-7.60.0.ebuild [modify] https://crrev.com/b2fc24e4a1ab451631526fecfd70e504cca9d7ff/net-misc/curl/Manifest
,
Jul 11
Is it okay if I start builds on the older branches (m67, m66, and m65) tonight, and tomorrow morning?
,
Jul 12
m67 had a build yesterday which fortunately included this change. I started on m66 and m65 just now.
,
Jul 13
,
Jul 14
,
Jul 16
,
Jul 20
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible! If all merges have been completed, please remove any remaining Merge-Approved labels from this issue. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 24
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible! If all merges have been completed, please remove any remaining Merge-Approved labels from this issue. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 20
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by kerrnel@chromium.org
, Jun 29 2018Labels: Security_Severity-High
Owner: briannorris@chromium.org
Status: Assigned (was: Untriaged)