CVE-2018-1000005 (retired)

Priority
Description
libcurl 7.49.0 to and including 7.57.0 contains an out bounds read in code
handling HTTP/2 trailers. It was reported
(https://github.com/curl/curl/pull/2231) that reading an HTTP/2 trailer
could mess up future trailers since the stored size was one byte less than
required. The problem is that the code that creates HTTP/1-like headers
from the HTTP/2 trailer data once appended a string like `:` to the target
buffer, while this was recently changed to `: ` (a space was added after
the colon) but the following math wasn't updated correspondingly. When
accessed, the data is read out of bounds and causes either a crash or that
the (too large) data gets passed to client write. This could lead to a
denial-of-service situation or an information disclosure if someone has a
service that echoes back or uses the trailers for something.
Ubuntu-Description
leosilva> vulnerability code was introduced after version 7.47
leosilva> trusty and precise/esm are not-affected.
Assigned-to
leosilva
Package
Source: curl (LP Ubuntu Debian)
Upstream:released (7.58.0-1)
Ubuntu 12.04 ESM (Precise Pangolin):not-affected
Ubuntu 14.04 LTS (Trusty Tahr):not-affected
Ubuntu 16.04 LTS (Xenial Xerus):released (7.47.0-1ubuntu2.6)
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (7.58.0-2ubuntu1)
Patches:
Other:https://github.com/curl/curl/commit/fa3dbb9a147488a294.patch
More Information

Updated: 2019-03-26 12:26:47 UTC (commit ccdecfcf0fead22bd291e5f4ea745a46872dcb15)