Arch Linux Security Advisory ASA-201811-4

Severity: High
Date : 2018-11-06
CVE-ID : CVE-2018-16840 CVE-2018-16842
Package : curl
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-795

Summary

The package curl before version 7.62.0-1 is vulnerable to multiple
issues including arbitrary code execution and information disclosure.

Resolution

Upgrade to 7.62.0-1.

pacman -Syu “curl>=7.62.0-1”

The problems have been fixed upstream in version 7.62.0.

Workaround

None.

Description

• CVE-2018-16840 (arbitrary code execution)

A heap use-after-free flaw was found in curl versions from 7.59.0
through 7.61.1 in the code related to closing an easy handle. When
closing and cleaning up an ‘easy’ handle in the Curl_close()
function, the library code first frees a struct (without nulling the
pointer) and might then subsequently erroneously write to a struct
field within that already freed struct.

• CVE-2018-16842 (information disclosure)

Curl versions 7.14.1 through 7.61.1 are vulnerable to a heap-based
buffer over-read in the tool_msgs.c:voutf() function that may result in
information exposure and denial of service.
This display function formats the output to wrap at 80 columns. The
wrap logic is however flawed, so if a single word in the message is
itself longer than 80 bytes the buffer arithmetic calculates the
remainder wrong and will end up reading behind the end of the buffer.

Impact

A malicious remote server could execute arbitrary commands by closing
the client initialized with easy handlers. A malicious local user could
disclose information and crash the application if invalid flags were
passed.

References

https://curl.haxx.se/docs/CVE-2018-16840.html
https://github.com/curl/curl/commit/81d135d67155c5295b1033679c606165d4e28f3f
https://curl.haxx.se/docs/CVE-2018-16842.html
https://github.com/curl/curl/commit/d530e92f59ae9bb2d47066c3c460b25d2ffeb211
https://security.archlinux.org/CVE-2018-16840
https://security.archlinux.org/CVE-2018-16842