[ASA-201801-20] curl: multiple issues

Jelle van der Waa jelle at archlinux.org
Mon Jan 29 19:18:21 UTC 2018


Arch Linux Security Advisory ASA-201801-20
==========================================

Severity: Medium
Date    : 2018-01-28
CVE-ID  : CVE-2018-1000005 CVE-2018-1000007
Package : curl
Type    : multiple issues
Remote  : Yes
Link    : https://security.archlinux.org/AVG-593

Summary
=======

The package curl before version 7.58.0-1 is vulnerable to multiple
issues including denial of service and information disclosure.

Resolution
==========

Upgrade to 7.58.0-1.

# pacman -Syu "curl>=7.58.0-1"

The problems have been fixed upstream in version 7.58.0.

Workaround
==========

None.

Description
===========

- CVE-2018-1000005 (denial of service)

libcurl contains an out bounds read in code handling HTTP/2 trailers.
It was reported that reading an HTTP/2 trailer could mess up future
trailers since the stored size was one byte less than required. The
problem is that the code that creates HTTP/1-like headers from the
HTTP/2 trailer data once appended a string like `":"` to the target
buffer, while this was recently changed to `": "` (a space was added
after the colon) but the associated math wasn't updated
correspondingly. When accessed, the data is read out of bounds and
causes either a crash or that the (too large) data gets passed to the
libcurl callback. This might lead to a denial-of-service situation or
an information disclosure if someone has a service that echoes back or
uses the trailers for something.

- CVE-2018-1000007 (information disclosure)

libcurl might leak authentication data to third parties. When asked to
send custom headers in its HTTP requests, libcurl will send that set of
headers first to the host in the initial URL but also, if asked to
follow redirects and a 30X HTTP response code is returned, to the host
mentioned in URL in the `Location:` response header value. Sending the
same set of headers to subsequest hosts is in particular a problem for
applications that pass on custom `Authorization:` headers, as this
header often contains privacy sensitive information or data that could
allow others to impersonate the libcurl-using client's request.

Impact
======

A remote attacker is able to crash the application or possibly disclose
sensitive information on the affected host.

References
==========

https://curl.haxx.se/docs/adv_2018-824a.html
https://github.com/curl/curl/commit/fa3dbb9a147488a2943bda809c66fc497efe06cb
https://curl.haxx.se/docs/adv_2018-b3bf.html
https://github.com/curl/curl/commit/af32cd3859336ab963591ca0df9b1e33a7ee066b
https://security.archlinux.org/CVE-2018-1000005
https://security.archlinux.org/CVE-2018-1000007
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20180129/79fdf47f/attachment.asc>


More information about the arch-security mailing list