CVE-2018-1000005
Published: 24 January 2018
libcurl 7.49.0 to and including 7.57.0 contains an out bounds read in code handling HTTP/2 trailers. It was reported (https://github.com/curl/curl/pull/2231) that reading an HTTP/2 trailer could mess up future trailers since the stored size was one byte less than required. The problem is that the code that creates HTTP/1-like headers from the HTTP/2 trailer data once appended a string like `:` to the target buffer, while this was recently changed to `: ` (a space was added after the colon) but the following math wasn't updated correspondingly. When accessed, the data is read out of bounds and causes either a crash or that the (too large) data gets passed to client write. This could lead to a denial-of-service situation or an information disclosure if someone has a service that echoes back or uses the trailers for something.
From the Ubuntu Security Team
leosilva> vulnerability code was introduced after version 7.47 leosilva> trusty and precise/esm are not-affected.
Priority
Status
| Package | Release | Status |
|---|---|---|
|
curl Launchpad, Ubuntu, Debian |
artful |
Released
(7.55.1-1ubuntu2.3)
|
| trusty |
Not vulnerable
|
|
| upstream |
Released
(7.58.0-1)
|
|
| xenial |
Released
(7.47.0-1ubuntu2.6)
|
|
|
Patches: other: https://github.com/curl/curl/commit/fa3dbb9a147488a294.patch |
||
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 9.1 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | None |
| Availability impact | High |
| Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H |