CVE-2018-1000005 Information
Description
libcurl 7.49.0 to and including 7.57.0 contains an out bounds read in code handling HTTP/2 trailers. It was reported (https://github.com/curl/curl/pull/2231) that reading an HTTP/2 trailer could mess up future trailers since the stored size was one byte less than required. The problem is that the code that creates HTTP/1-like headers from the HTTP/2 trailer data once appended a string like : to the target buffer while this was recently changed to : (a space was added after the colon) but the following math wasn’t updated correspondingly. When accessed the data is read out of bounds and causes either a crash or that the (too large) data gets passed to client write. This could lead to a denial-of-service situation or an information disclosure if someone has a service that echoes back or uses the trailers for something.
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Reference
http://www.securitytracker.com/id/1040273
https://access.redhat.com/errata/RHSA-2019:1543
https://curl.haxx.se/docs/adv_2018-824a.html
https://curl.haxx.se/docs/adv_2018-824a.html
https://github.com/curl/curl/pull/2231
https://github.com/curl/curl/pull/2231
https://usn.ubuntu.com/3554-1/
https://www.debian.org/security/2018/dsa-4098
libcurl
7.49.0
to
and
including
7.57.0
contains
an
out
bounds
read
in
code
handling
HTTP/2
trailers.
It
was
reported
(https://github.com/curl/curl/pull/2231))
that
reading
an
HTTP/2
trailer
could
mess
up
future
trailers
since
the
stored
size
was
one
byte
less
than
required.
The
problem
is
that
the
code
that
creates
HTTP/1-like
headers
from
the
HTTP/2
trailer
data
once
appended
a
string
like
:
to
the
target
buffer
while
this
was
recently
changed
to
:
(a
space
was
added
after
the
colon)
but
the
following
math
wasn’t
updated
correspondingly.
When
accessed
the
data
is
read
out
of
bounds
and
causes
either
a
crash
or
that
the
(too
large)
data
gets
passed
to
client
write.
This
could
lead
to
a
denial-of-service
situation
or
an
information
disclosure
if
someone
has
a
service
that
echoes
back
or
uses
the
trailers
for
something.
cpe:2.3:a:haxx:libcurl::::::::
Attack Complexity
LOW
Privileges Required
NONE
User Interaction Required
NONE
Scope
NONE
Confidentiality Impact
UNCHANGED
Integrity Impact
HIGH
Availability Impact
NONE
Base Score
HIGH
Base Severity
9.1
Share on: