Lucene search

K
archlinuxArchLinuxASA-201801-22
HistoryJan 29, 2018 - 12:00 a.m.

[ASA-201801-22] lib32-curl: multiple issues

2018-01-2900:00:00
security.archlinux.org
7

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

6.4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:N/A:P

0.007 Low

EPSS

Percentile

79.0%

Arch Linux Security Advisory ASA-201801-22

Severity: Medium
Date : 2018-01-29
CVE-ID : CVE-2018-1000005 CVE-2018-1000007
Package : lib32-curl
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-594

Summary

The package lib32-curl before version 7.58.0-1 is vulnerable to
multiple issues including denial of service and information disclosure.

Resolution

Upgrade to 7.58.0-1.

pacman -Syu “lib32-curl>=7.58.0-1”

The problems have been fixed upstream in version 7.58.0.

Workaround

None.

Description

  • CVE-2018-1000005 (denial of service)

libcurl contains an out bounds read in code handling HTTP/2 trailers.
It was reported that reading an HTTP/2 trailer could mess up future
trailers since the stored size was one byte less than required. The
problem is that the code that creates HTTP/1-like headers from the
HTTP/2 trailer data once appended a string like ":" to the target
buffer, while this was recently changed to ": " (a space was added
after the colon) but the associated math wasn’t updated
correspondingly. When accessed, the data is read out of bounds and
causes either a crash or that the (too large) data gets passed to the
libcurl callback. This might lead to a denial-of-service situation or
an information disclosure if someone has a service that echoes back or
uses the trailers for something.

  • CVE-2018-1000007 (information disclosure)

libcurl might leak authentication data to third parties. When asked to
send custom headers in its HTTP requests, libcurl will send that set of
headers first to the host in the initial URL but also, if asked to
follow redirects and a 30X HTTP response code is returned, to the host
mentioned in URL in the Location: response header value. Sending the
same set of headers to subsequest hosts is in particular a problem for
applications that pass on custom Authorization: headers, as this
header often contains privacy sensitive information or data that could
allow others to impersonate the libcurl-using client’s request.

Impact

A remote attacker is able to crash the application or possibly disclose
sensitive information on the affected host.

References

https://curl.haxx.se/docs/adv_2018-824a.html
https://github.com/curl/curl/commit/fa3dbb9a147488a2943bda809c66fc497efe06cb
https://curl.haxx.se/docs/adv_2018-b3bf.html
https://github.com/curl/curl/commit/af32cd3859336ab963591ca0df9b1e33a7ee066b
https://security.archlinux.org/CVE-2018-1000005
https://security.archlinux.org/CVE-2018-1000007

OSVersionArchitecturePackageVersionFilename
ArchLinuxanyanylib32-curl< 7.58.0-1UNKNOWN

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

6.4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:N/A:P

0.007 Low

EPSS

Percentile

79.0%