Bug 1079148 (CVE-2014-0138) - CVE-2014-0138 curl: wrong re-use of connections in libcurl
Summary: CVE-2014-0138 curl: wrong re-use of connections in libcurl
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2014-0138
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1080878 1080879 1080880 1080891 1097085 1097086
Blocks: 1053909
TreeView+ depends on / blocked
 
Reported: 2014-03-21 04:57 UTC by Murray McAllister
Modified: 2019-09-29 13:14 UTC (History)
6 users (show)

Fixed In Version: curl 7.36.0
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-10-24 13:12:30 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:0561 normal SHIPPED_LIVE Moderate: curl security and bug fix update 2014-05-27 20:25:18 UTC

Description Murray McAllister 2014-03-21 04:57:23 UTC
Daniel Stenberg reported the following vulnerability in cURL:

   libcurl can in some circumstances re-use the wrong connection when asked to
   do transfers using other protocols than HTTP and FTP.

   libcurl features a pool of recent connections so that subsequent requests
   can re-use an existing connection to avoid overhead.

   When re-using a connection a range of criterion must first be met. Due to an
   error in the code, a transfer that was initiated by an application could
   wrongfully re-use an existing connection to the same server that was
   authenticated using different credentials. The existing logic basically only
   worked well enough for HTTP and FTP, while all other network protocols were
   silently, but erroneously, assumed to work like HTTP. Basically, protocols
   that use connection oriented authentication need a new connection when new
   credentials are used.

   Affected protocols include: SCP, SFTP, POP3(S), IMAP(S), SMTP(S) and
   LDAP(S).

   Applications can disable libcurl's re-use of connections and thus mitigate
   this problem, by using one of the following libcurl options to alter how
   connections are or aren't re-used: CURLOPT_FRESH_CONNECT,
   CURLOPT_MAXCONNECTS and CURLMOPT_MAX_HOST_CONNECTIONS (if using curl_multi
   API).

   (This problem is very similar to a problem previously reported to NTLM HTTP
   connections, named CVE-2014-0015)

Versions 7.10.6 to and including 7.35.0 are affected. The flaw is fixed in version 7.36.0

Acknowledgements:

Red Hat would like to thank the cURL project for reporting this issue. Upstream acknowledges Steve Holme as the original reporter.

Comment 3 Tomas Hoger 2014-03-26 09:31:15 UTC
Fixed now in curl version 7.36.0.

External References:

http://curl.haxx.se/docs/adv_20140326A.html

Comment 5 Tomas Hoger 2014-03-26 09:33:09 UTC
Created curl tracking bugs for this issue:

Affects: fedora-all [bug 1080879]

Comment 6 Tomas Hoger 2014-03-26 09:33:12 UTC
Created mingw-curl tracking bugs for this issue:

Affects: fedora-all [bug 1080880]

Comment 7 Tomas Hoger 2014-03-26 09:43:30 UTC
Created mingw32-curl tracking bugs for this issue:

Affects: epel-5 [bug 1080891]

Comment 10 Kamil Dudka 2014-03-27 07:23:08 UTC
The following upstream patch makes the test-suite work with the fix applied:

https://github.com/bagder/curl/commit/f82e0edc

Comment 14 Fedora Update System 2014-03-31 02:11:58 UTC
curl-7.29.0-17.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 15 Fedora Update System 2014-03-31 02:15:29 UTC
curl-7.32.0-8.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 16 Tomas Hoger 2014-04-25 14:30:48 UTC
Upstream commit:

https://github.com/bagder/curl/commit/517b06d

Comment 28 errata-xmlrpc 2014-05-27 16:26:47 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2014:0561 https://rhn.redhat.com/errata/RHSA-2014-0561.html

Comment 29 Huzaifa S. Sidhpurwala 2014-05-28 04:17:59 UTC
Statement:

This issue affects the version of curl as shipped with Red Hat Enterprise Linux 5 and 7. The Red Hat Security Response Team has rated this issue as having Moderate security impact, a future update may address this flaw.


Note You need to log in before you can comment on or make changes to this bug.