ftp/curl

F

frabron

Hi all,

portaudit keeps reminding me since a few days that my curl installation has a vulnerability:

Code: 
# portaudit 
Affected package: curl-7.24.0_3
Type of problem: cURL library -- heap corruption in curl_easy_unescape.
Reference: http://portaudit.FreeBSD.org/01cf67b3-dc3b-11e2-a6cd-c48508086173.html

1 problem(s) in your installed packages found.

You are advised to update or deinstall the affected package(s) immediately.

Being an obedient admin to my system I'm trying that for a few days already:

Code: 
# portsnap fetch update
Looking up portsnap.FreeBSD.org mirrors... 6 mirrors found.
Fetching snapshot tag from ec2-eu-west-1.portsnap.freebsd.org... done.
Fetching snapshot metadata... done.
// yadda yadda
// ...
// and then
# portmaster -b curl

===>>> Currently installed version: curl-7.24.0_3
===>>> Port directory: /usr/ports/ftp/curl

===>>> Gathering distinfo list for installed ports

===>>> Launching 'make checksum' for ftp/curl in background
===>>> Gathering dependency list for ftp/curl from ports
===>>> Initial dependency check complete for ftp/curl


===>>> Starting build for ftp/curl <<<===

===>>> All dependencies are up to date

===>  Cleaning for curl-7.24.0_3
===>>> Waiting on fetch & checksum for ftp/curl <<<===
===>  curl-7.24.0_3 has known vulnerabilities:
Affected package: curl-7.24.0_3
Type of problem: cURL library -- heap corruption in curl_easy_unescape.
Reference: http://portaudit.FreeBSD.org/01cf67b3-dc3b-11e2-a6cd-c48508086173.html
=> Please update your ports tree and try again.
*** [check-vulnerable] Error code 1

Stop in /usr/ports/ftp/curl.
===>  Deleting distfiles for curl-7.24.0_3
===>>> RE-STARTING FETCH <<<===


===>  curl-7.24.0_3 has known vulnerabilities:
Affected package: curl-7.24.0_3
Type of problem: cURL library -- heap corruption in curl_easy_unescape.
Reference: http://portaudit.FreeBSD.org/01cf67b3-dc3b-11e2-a6cd-c48508086173.html
=> Please update your ports tree and try again.
*** [check-vulnerable] Error code 1

Stop in /usr/ports/ftp/curl.
*** [build] Error code 1

Stop in /usr/ports/ftp/curl.

===>>> make failed for ftp/curl
===>>> Aborting update

===>>> Killing background jobs
Terminated

===>>> You can restart from the point of failure with this command line:
       portmaster <flags> ftp/curl 

===>>> Exiting

So, do I need to wait for a patch? From what I understand from the portaudit vulnerability notes this vulnerability is not considered critical. But how should I handle this? Ignore it until a patch comes out? Uninstalling is certainly not an option. Curl is used in so many ports as a dependency that I dare not try this. I can't be the only one with this issue but I have a hard time finding more information on how to handle the situation.

Code: 
# uname -a
FreeBSD frodo.metrico 9.1-RELEASE-p4 FreeBSD 9.1-RELEASE-p4 #0: Mon Jun 17 11:42:37 UTC 2013     root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  amd64
 
frabron said:
So, do I need to wait for a patch?
Click to expand...
That's what I'm doing. Unless this is a very critical issue for you, then you could always consider trying alternative measures. But quite frankly I have some doubts that those will work.

frabron said:
I can't be the only one with this issue but I have a hard time finding more information on how to handle the situation.
Click to expand...
Well, that's the nature of the beast a bit in my opinion; there is no carved out rule as what one should do in a situation like this. It all depends on your own situation and environment. For you uninstalling isn't an option (same for me) but maybe others feel more strongly about it.

What I basically did was to look up how I could override this message if needed, then re-evaluated which programs were using Curl and decided that I'm good for now..

Code: 
root@smtp2:/usr/ports/databases/mysql51-server # pkg_info -Rx curl
Information for curl-7.24.0_3:

Required by:
gnupg-1.4.13
gpgme-1.3.2
mutt-1.5.21_3
p5-Mail-SpamAssassin-3.3.2_8
php5-curl-5.4.16
wordpress-3.5.2,1
On my system none of these programs will start using Curl without me knowing about it, as such I think the risks are currently acceptable. But it's something to keep in mind of course.
 
It's a bit of a dirty hack but in the mean time you could try to edit the port's Makefile and change the version number to a recent version. Then run # make makesum to update the port's distinfo file. After that, hopefully, the port should build with the new version.

I also suggest submitting a PR to nudge the maintainer to upgrade the port.
 
Thanks for the feedback. So I just will try to continue to update the package until this is successful. I did a check pkg_info -Rx curl and curl is used by nearly all applications for which I use my server in the end so I won't hassle with trying to uninstall/patch curl.

SirDice said:
I also suggest submitting a PR to nudge the maintainer to upgrade the port.
Click to expand...

Shouldn't he know this already? I don't want to be annoying or so since port management probably isn't a paid job and is done in spare time mostly I guess ...
 
frabron said:
Shouldn't he know this already? I don't want to be annoying or so since port management probably isn't a paid job and is done in spare time mostly I guess ...
Click to expand...
He should but might have missed it. Have a look in the existing PRs, somebody may have already submitted one. If there isn't just create one. The PR system helps everyone to keep track of outstanding issues. Personally I'd prefer a single bug report to hundreds of emails from people complaining my stuff is broken ;)
 
Ok, thanks all. I've submitted a PR so everything what can be done has be done so far. Have a nice weekend :)
 
You must log in or register to reply here.
Back
Top