# ftp/curl



## frabron (Jun 28, 2013)

Hi all,

portaudit keeps reminding me since a few days that my curl installation has a vulnerability:


```
# portaudit 
Affected package: curl-7.24.0_3
Type of problem: cURL library -- heap corruption in curl_easy_unescape.
Reference: http://portaudit.FreeBSD.org/01cf67b3-dc3b-11e2-a6cd-c48508086173.html

1 problem(s) in your installed packages found.

You are advised to update or deinstall the affected package(s) immediately.
```

Being an obedient admin to my system I'm trying that for a few days already:


```
# portsnap fetch update
Looking up portsnap.FreeBSD.org mirrors... 6 mirrors found.
Fetching snapshot tag from ec2-eu-west-1.portsnap.freebsd.org... done.
Fetching snapshot metadata... done.
// yadda yadda
// ...
// and then
# portmaster -b curl

===>>> Currently installed version: curl-7.24.0_3
===>>> Port directory: /usr/ports/ftp/curl

===>>> Gathering distinfo list for installed ports

===>>> Launching 'make checksum' for ftp/curl in background
===>>> Gathering dependency list for ftp/curl from ports
===>>> Initial dependency check complete for ftp/curl


===>>> Starting build for ftp/curl <<<===

===>>> All dependencies are up to date

===>  Cleaning for curl-7.24.0_3
===>>> Waiting on fetch & checksum for ftp/curl <<<===
===>  curl-7.24.0_3 has known vulnerabilities:
Affected package: curl-7.24.0_3
Type of problem: cURL library -- heap corruption in curl_easy_unescape.
Reference: http://portaudit.FreeBSD.org/01cf67b3-dc3b-11e2-a6cd-c48508086173.html
=> Please update your ports tree and try again.
*** [check-vulnerable] Error code 1

Stop in /usr/ports/ftp/curl.
===>  Deleting distfiles for curl-7.24.0_3
===>>> RE-STARTING FETCH <<<===


===>  curl-7.24.0_3 has known vulnerabilities:
Affected package: curl-7.24.0_3
Type of problem: cURL library -- heap corruption in curl_easy_unescape.
Reference: http://portaudit.FreeBSD.org/01cf67b3-dc3b-11e2-a6cd-c48508086173.html
=> Please update your ports tree and try again.
*** [check-vulnerable] Error code 1

Stop in /usr/ports/ftp/curl.
*** [build] Error code 1

Stop in /usr/ports/ftp/curl.

===>>> make failed for ftp/curl
===>>> Aborting update

===>>> Killing background jobs
Terminated

===>>> You can restart from the point of failure with this command line:
       portmaster <flags> ftp/curl 

===>>> Exiting
```

So, do I need to wait for a patch? From what I understand from the portaudit vulnerability notes this vulnerability is not considered critical. But how should I handle this? Ignore it until a patch comes out? Uninstalling is certainly not an option. Curl is used in so many ports as a dependency that I dare not try this. I can't be the only one with this issue but I have a hard time finding more information on how to handle the situation.


```
# uname -a
FreeBSD frodo.metrico 9.1-RELEASE-p4 FreeBSD 9.1-RELEASE-p4 #0: Mon Jun 17 11:42:37 UTC 2013     root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  amd64
```


----------



## ShelLuser (Jun 28, 2013)

frabron said:
			
		

> So, do I need to wait for a patch?


That's what I'm doing. Unless this is a very critical issue for you, then you could always consider trying alternative measures. But quite frankly I have some doubts that those will work.



			
				frabron said:
			
		

> I can't be the only one with this issue but I have a hard time finding more information on how to handle the situation.


Well, that's the nature of the beast a bit in my opinion; there is no carved out rule as what one should do in a situation like this. It all depends on your own situation and environment. For you uninstalling isn't an option (same for me) but maybe others feel more strongly about it.

What I basically did was to look up how I could override this message if needed, then re-evaluated which programs were using Curl and decided that I'm good for now..


```
root@smtp2:/usr/ports/databases/mysql51-server # pkg_info -Rx curl
Information for curl-7.24.0_3:

Required by:
gnupg-1.4.13
gpgme-1.3.2
mutt-1.5.21_3
p5-Mail-SpamAssassin-3.3.2_8
php5-curl-5.4.16
wordpress-3.5.2,1
```
On my system none of these programs will start using Curl without me knowing about it, as such I think the risks are currently acceptable. But it's something to keep in mind of course.


----------



## SirDice (Jun 28, 2013)

It's a bit of a dirty hack but in the mean time you could try to edit the port's Makefile and change the version number to a recent version. Then run `# make makesum` to update the port's distinfo file. After that, hopefully, the port should build with the new version.

I also suggest submitting a PR to nudge the maintainer to upgrade the port.


----------



## frabron (Jun 28, 2013)

Thanks for the feedback. So I just will try to continue to update the package until this is successful. I did a check `pkg_info -Rx curl` and curl is used by nearly all applications for which I use my server in the end so I won't hassle with trying to uninstall/patch curl.



			
				SirDice said:
			
		

> I also suggest submitting a PR to nudge the maintainer to upgrade the port.



Shouldn't he know this already? I don't want to be annoying or so since port management probably isn't a paid job and is done in spare time mostly I guess ...


----------



## kpa (Jun 28, 2013)

You can force the build and ignore the vulnerability by using DISABLE_VULNERABILITIES=1 on the make(1) command line:

`make -C /usr/ports/ftp/curl DISABLE_VULNERABILITIES=1`

Or if you're using portmaster(8):

`portmaster -m "DISABLE_VULNERABILITIES=1" ftp/curl`


----------



## SirDice (Jun 28, 2013)

frabron said:
			
		

> Shouldn't he know this already? I don't want to be annoying or so since port management probably isn't a paid job and is done in spare time mostly I guess ...


He should but might have missed it. Have a look in the existing PRs, somebody may have already submitted one. If there isn't just create one. The PR system helps everyone to keep track of outstanding issues. Personally I'd prefer a single bug report to hundreds of emails from people complaining my stuff is broken


----------



## frabron (Jun 28, 2013)

Ok, thanks all. I've submitted a PR so everything what can be done has be done so far. Have a nice weekend


----------

