Lucene search

K
archlinuxArchLinuxASA-201811-7
HistoryNov 06, 2018 - 12:00 a.m.

[ASA-201811-7] lib32-libcurl-gnutls: arbitrary code execution

2018-11-0600:00:00
security.archlinux.org
11

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.015 Low

EPSS

Percentile

86.8%

Arch Linux Security Advisory ASA-201811-7

Severity: High
Date : 2018-11-06
CVE-ID : CVE-2018-16839 CVE-2018-16840
Package : lib32-libcurl-gnutls
Type : arbitrary code execution
Remote : Yes
Link : https://security.archlinux.org/AVG-798

Summary

The package lib32-libcurl-gnutls before version 7.62.0-1 is vulnerable
to arbitrary code execution.

Resolution

Upgrade to 7.62.0-1.

pacman -Syu “lib32-libcurl-gnutls>=7.62.0-1”

The problems have been fixed upstream in version 7.62.0.

Workaround

None.

Description

  • CVE-2018-16839 (arbitrary code execution)

The internal function Curl_auth_create_plain_message fails to correctly
verify that the passed in lengths for name and password aren’t too
long, then calculates a buffer size to allocate. On systems with a 32
bit size_t, the math to calculate the buffer size triggers an integer
overflow when the user name length exceeds 2GB (2^31 bytes). This
integer overflow usually causes a very small buffer to actually get
allocated instead of the intended very huge one, making the use of that
buffer end up in a heap buffer overflow.

  • CVE-2018-16840 (arbitrary code execution)

A heap use-after-free flaw was found in curl versions from 7.59.0
through 7.61.1 in the code related to closing an easy handle. When
closing and cleaning up an ‘easy’ handle in the Curl_close()
function, the library code first frees a struct (without nulling the
pointer) and might then subsequently erroneously write to a struct
field within that already freed struct.

Impact

A malicious remote server might be able to execute arbitrary commands
by closing the connection from a client using easy handlers. A
malicious user could execute arbitrary code by passing a very long
username or password used for SASL authentication.

References

https://curl.haxx.se/docs/CVE-2018-16839.html
https://github.com/curl/curl/commit/f3a24d7916b9173c69a3e0ee790102993833d6c5
https://curl.haxx.se/docs/CVE-2018-16840.html
https://github.com/curl/curl/commit/81d135d67155c5295b1033679c606165d4e28f3f
https://security.archlinux.org/CVE-2018-16839
https://security.archlinux.org/CVE-2018-16840

OSVersionArchitecturePackageVersionFilename
ArchLinuxanyanylib32-libcurl-gnutls< 7.62.0-1UNKNOWN

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.015 Low

EPSS

Percentile

86.8%