Bug 1422464 (CVE-2017-2628)

Summary: CVE-2017-2628 curl: negotiate not treated as connection-oriented (incomplete fix for CVE-2015-3148)
Product: [Other] Security Response Reporter: Martin Prpič <mprpic>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bmcclain, cfergeau, dblechte, dmoppert, eedri, erik-fedora, kdudka, lsurette, mgoldboi, michal.skrivanek, mike, paul, rbalakri, rh-spice-bugs, security-response-team, sherold, sisharma, srevivo, ykaul, ylavi
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
It was found that the fix for CVE-2015-3148 in curl was incomplete. An application using libcurl with HTTP Negotiate authentication could incorrectly re-use credentials for subsequent requests to the same server.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-03-29 06:43:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1429761    
Bug Blocks: 1415298, 1422465    

Description Martin Prpič 2017-02-15 11:50:28 UTC 
It was found that the fix for CVE-2015-3148 did not correctly backported to curl in RHEL 6 because it did not reflect the fact that the HAVE_GSSAPI define was meanwhile substituted by USE_HTTP_NEGOTIATE.

The original issue was described as:

It was discovered that libcurl could incorrectly reuse Negotiate authenticated HTTP connections for subsequent requests. If an application using libcurl established a Negotiate authenticated HTTP connection to a server and sent subsequent requests with different credentials, the connection could be re-used with the initial set of credentials instead of using the new ones.

This issue was introduced in RHEL 6.7 and affects RHEL 6 curl only.
Comment 1 Martin Prpič 2017-02-15 12:44:03 UTC 
Acknowledgments:

Name: Paulo Andrade (Red Hat)
Comment 8 errata-xmlrpc 2017-03-29 06:32:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2017:0847 https://rhn.redhat.com/errata/RHSA-2017-0847.html