CVE-2018-1000005

Name
CVE-2018-1000005
Description
libcurl 7.49.0 to and including 7.57.0 contains an out bounds read in code handling HTTP/2 trailers. It was reported (https://github.com/curl/curl/pull/2231) that reading an HTTP/2 trailer could mess up future trailers since the stored size was one byte less than required. The problem is that the code that creates HTTP/1-like headers from the HTTP/2 trailer data once appended a string like `:` to the target buffer, while this was recently changed to `: ` (a space was added after the colon) but the following math wasn't updated correspondingly. When accessed, the data is read out of bounds and causes either a crash or that the (too large) data gets passed to client write. This could lead to a denial-of-service situation or an information disclosure if someone has a service that echoes back or uses the trailers for something.
NVD Severity
high
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
Issue Tracking https://github.com/curl/curl/pull/2231
Patch https://curl.haxx.se/docs/adv_2018-824a.html
Third Party Advisory http://www.securitytracker.com/id/1040273
Third Party Advisory https://www.debian.org/security/2018/dsa-4098
Third Party Advisory https://usn.ubuntu.com/3554-1/
REDHAT https://access.redhat.com/errata/RHSA-2019:1543

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:haxx:libcurl:*:*:*:*:*:*:*:* libcurl >= 7.49.0 <= 7.57.0

Vulnerable and fixed packages

Source package Branch Version Maintainer Status