Opened 7 years ago

Closed 7 years ago

#8676 closed enhancement (fixed)

curl-7.52.1 (CVE-2016-9594)

Reported by: Douglas R. Reno Owned by: Douglas R. Reno
Priority: high Milestone: 8.0
Component: BOOK Version: SVN
Severity: normal Keywords:
Cc:

Description

New point version to fix an uninitialized random introduced in 7.52.0

Change History (7)

comment:1 by Douglas R. Reno, 7 years ago

Owner: changed from blfs-book@… to Douglas R. Reno
Status: newassigned

Grab dependencies for GNOME packages that I'm building to take them out quicker.

comment:2 by Douglas R. Reno, 7 years ago

Have a few complications here. May have just discovered a critical security vulnerability. In talks with the maintainer currently. Valgrind points to several uninitialized values of various sizes. 

TESTFAIL: These test cases failed: 9 39 41 44 64 65 70 71 72 88 153 154 158 163 166 167 168 170 173 186 206 245 246 258 259 273 277 320 321 322 324 540 551 552 554 565 579 587 1001 1002 1030 1053 1060 1061 1071 1072 1079 1095 1133 1229 1315 1404 1412 1418 1437 2024 2026 2027 2028 2030

https://curl.haxx.se/mail/lib-2016-12/0107.html

in reply to:  2 ; comment:3 by Pierre Labastie, 7 years ago

Replying to renodr:

Have a few complications here. May have just discovered a critical security vulnerability. In talks with the maintainer currently. Valgrind points to several uninitialized values of various sizes. 

TESTFAIL: These test cases failed: 9 39 41 44 64 65 70 71 72 88 153 154 158 163 166 167 168 170 173 186 206 245 246 258 259 273 277 320 321 322 324 540 551 552 554 565 579 587 1001 1002 1030 1053 1060 1061 1071 1072 1079 1095 1133 1229 1315 1404 1412 1418 1437 2024 2026 2027 2028 2030

https://curl.haxx.se/mail/lib-2016-12/0107.html

Just a warning, I do not know whether it applies here: openssl increases its entropy by reading uninitialized portions of memory. Valgrind does not like that, but it is not an error. See https://www.openssl.org/docs/faq.html#PROG14

in reply to:  3 comment:4 by Pierre Labastie, 7 years ago

Replying to pierre.labastie:

Replying to renodr:

Have a few complications here. May have just discovered a critical security vulnerability. In talks with the maintainer currently. Valgrind points to several uninitialized values of various sizes. 

TESTFAIL: These test cases failed: 9 39 41 44 64 65 70 71 72 88 153 154 158 163 166 167 168 170 173 186 206 245 246 258 259 273 277 320 321 322 324 540 551 552 554 565 579 587 1001 1002 1030 1053 1060 1061 1071 1072 1079 1095 1133 1229 1315 1404 1412 1418 1437 2024 2026 2027 2028 2030

https://curl.haxx.se/mail/lib-2016-12/0107.html

Just a warning, I do not know whether it applies here: openssl increases its entropy by reading uninitialized portions of memory. Valgrind does not like that, but it is not an error. See https://www.openssl.org/docs/faq.html#PROG14

Oops, sorry, had not seen your link. It is not in the ssl library, so nothing to do with openssl.

comment:5 by Douglas R. Reno, 7 years ago

Update: It is OpenSSL related - only to a change made in 1.1.0+ (and the package maintainers only use 1.1.0). As a result of their API change, there's a bug in the random value. cURL is unusable as a result under our OpenSSL version.

comment:6 by Douglas R. Reno, 7 years ago

Further update: I'm going to patch in the valgrind.pm file to see if that helps. They removed a filter, which caused this problem in the first place.

comment:7 by Douglas R. Reno, 7 years ago

Resolution: fixed
Status: assignedclosed

Fixed at r18093

Pierre, thanks for suggesting the OpenSSL issue, if not just nonchalantly. You pointed us in the right direction.

Note: See TracTickets for help on using tickets.