CVE-2018-1000005

Priority
Medium
Description
libcurl 7.49.0 to and including 7.57.0 contains an out bounds read in code
handling HTTP/2 trailers. It was reported
(https://github.com/curl/curl/pull/2231) that reading an HTTP/2 trailer
could mess up future trailers since the stored size was one byte less than
required. The problem is that the code that creates HTTP/1-like headers
from the HTTP/2 trailer data once appended a string like `:` to the target
buffer, while this was recently changed to `: ` (a space was added after
the colon) but the following math wasn't updated correspondingly. When
accessed, the data is read out of bounds and causes either a crash or that
the (too large) data gets passed to client write. This could lead to a
denial-of-service situation or an information disclosure if someone has a
service that echoes back or uses the trailers for something.
Ubuntu-Description
leosilva> vulnerability code was introduced after version 7.47
leosilva> trusty and precise/esm are not-affected.
References
Assigned-to
leosilva
Package
Source: curl (LP Ubuntu Debian)
Upstream:released (7.58.0-1)
Ubuntu 12.04 ESM (Precise Pangolin):not-affected
Ubuntu 14.04 LTS (Trusty Tahr):not-affected
Ubuntu 16.04 LTS (Xenial Xerus):released (7.47.0-1ubuntu2.6)
Ubuntu 17.10 (Artful Aardvark):released (7.55.1-1ubuntu2.3)
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (7.58.0-2ubuntu1)
Patches:
Patch:https://github.com/curl/curl/commit/fa3dbb9a147488a294.patch
More Information

Updated: 2018-06-26 05:02:57 UTC (commit 7799c934cca373482531a7b00e4dfe82302ceae5)