[blfs-book] [BLFS Trac] #8297: curl-7.50.3

2016-09-13 Thread BLFS Trac via blfs-book 
#8297: curl-7.50.3
-+-
 Reporter:  renodr   |  Owner:  blfs-book@…
 Type:  enhancement  | Status:  new
 Priority:  normal   |  Milestone:  7.11
Component:  BOOK |Version:  SVN
 Severity:  normal   |   Keywords:
-+-
 New security-related/emergency security release

 This one, being posted on the OSS Security release mailing list and
 meeting the Seamonkey Filter that I had setup, was *nice* enough to wake
 me up via a sound notification. I never hoped to actually have that
 feature work.

 {{{
 Bugfixes:

 CVE-2016-7167: escape and unescape integer overflows
 mk-ca-bundle.pl: use SHA256 instead of SHA1
 checksrc: detect strtok() use
 errors: new alias CURLE_WEIRD_SERVER_REPLY
 http2: support > 64bit sized uploads
 openssl: fix bad memory free (regression)
 CMake: hide private library symbols
 http: refuse to pass on response body with NO_NODY was set
 cmake: fix curl-config --static-libs
 mbedtls: switch off NTLM in build if md4 isn't available
 curl: --create-dirs on windows groks both forward and backward slashes
 }}}

 Some useful links:

 {{{
 https://curl.haxx.se/changes.html#7_50_3
 https://curl.haxx.se/docs/adv_20160914.html
 }}}

 I'd link to the openwall list email if I could get access to it - it just
 times out here.

 Here's what triggered my alert:


 {{{
 VULNERABILITY
 -

 The four libcurl functions `curl_escape()`, `curl_easy_escape()`,
 `curl_unescape` and `curl_easy_unescape` perform string URL percent
 escaping
 and unescaping. They accept custom string length inputs in signed integer
 arguments. (The functions having names without "easy" being the deprecated
 versions of the others.)

 The provided string length arguments were not properly checked and due to
 arithmetic in the functions, passing in the length 0x (2^32-1 or
 `UINT_MAX` or even just -1) would end up causing an allocation of zero
 bytes
 of heap memory that curl would attempt to write gigabytes of data into.

 The use of 'int' for this input type in the API is of course unwise but
 has
 remained so in order to maintain the API over the years.

 We are not aware of any exploit of this flaw.

 INFO
 

 This flaw does not affect the curl command line tool.

 The Common Vulnerabilities and Exposures (CVE) project has assigned the
 name
 CVE-2016-7167 to this issue.

 AFFECTED VERSIONS
 -

 This flaw exists in the following libcurl versions.

 - Affected versions: libcurl 7.11.1 to and including 7.50.2
 - Not affected versions: libcurl < 7.11.1 and libcurl >= 7.50.3

 libcurl is used by many applications, but not always advertised as such!


 RECOMMENDATIONS
 ---

 We suggest you take one of the following actions immediately, in order of
 preference:

  A - Upgrade curl and libcurl to version 7.50.3

  B - Apply the patch to your version and rebuild

  C - Make sure you don't pass in string lengths larger than `INT_MAX`
  (typically 2^31) or negative values to the `curl_easy_(un)escape()`
  functions!
 }}}

 Originally reported as part of a PHP bug report.

 I just built CURL before turning in for the night *earlier* - I'll do
 this.

--
Ticket URL: 
BLFS Trac 
Beyond Linux From Scratch
-- 
http://lists.linuxfromscratch.org/listinfo/blfs-book
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page

Re: [blfs-book] [BLFS Trac] #8297: curl-7.50.3

2016-09-13 Thread BLFS Trac via blfs-book 
#8297: curl-7.50.3
-+---
 Reporter:  renodr   |   Owner:  renodr
 Type:  enhancement  |  Status:  assigned
 Priority:  normal   |   Milestone:  7.11
Component:  BOOK | Version:  SVN
 Severity:  normal   |  Resolution:
 Keywords:   |
-+---
Changes (by renodr):

 * owner:  blfs-book@… => renodr
 * status:  new => assigned


--
Ticket URL: 
BLFS Trac 
Beyond Linux From Scratch
-- 
http://lists.linuxfromscratch.org/listinfo/blfs-book
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page

Re: [blfs-book] [BLFS Trac] #8297: curl-7.50.3 (CVE-2016-7167)

2016-09-14 Thread BLFS Trac via blfs-book 
#8297: curl-7.50.3 (CVE-2016-7167)
-+-
 Reporter:  renodr   |   Owner:  renodr
 Type:  enhancement  |  Status:  closed
 Priority:  high |   Milestone:  7.11
Component:  BOOK | Version:  SVN
 Severity:  normal   |  Resolution:  fixed
 Keywords:   |
-+-
Changes (by renodr):

 * status:  assigned => closed
 * resolution:   => fixed


Comment:

 Fixed at r17759

--
Ticket URL: 
BLFS Trac 
Beyond Linux From Scratch
-- 
http://lists.linuxfromscratch.org/listinfo/blfs-book
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page

Re: [blfs-book] [BLFS Trac] #8297: curl-7.50.3 (CVE-2016-7167) (was: curl-7.50.3)

2016-09-13 Thread BLFS Trac via blfs-book 
#8297: curl-7.50.3 (CVE-2016-7167)
-+---
 Reporter:  renodr   |   Owner:  renodr
 Type:  enhancement  |  Status:  assigned
 Priority:  high |   Milestone:  7.11
Component:  BOOK | Version:  SVN
 Severity:  normal   |  Resolution:
 Keywords:   |
-+---
Changes (by renodr):

 * priority:  normal => high


Comment:

 Added CVE to the title (I might start doing that more often), and marked
 as high.

--
Ticket URL: 
BLFS Trac 
Beyond Linux From Scratch
-- 
http://lists.linuxfromscratch.org/listinfo/blfs-book
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page