CURL-CVE-2018-1000005

See a problem?
Please try reporting it to the source first.

Source

https://curl.se/docs/CVE-2018-1000005.html

Import Source

https://curl.se/docs/CURL-CVE-2018-1000005.json

JSON Data

https://api.osv.dev/v1/vulns/CURL-CVE-2018-1000005

Aliases

CVE-2018-1000005

Published

2018-01-24T08:00:00Z

Modified

2024-06-07T13:53:51Z

Summary

HTTP/2 trailer out-of-bounds read

Details

libcurl contains an out bounds read in code handling HTTP/2 trailers.

It was reported that reading an HTTP/2 trailer could mess up future trailers since the stored size was one byte less than required.

The problem is that the code that creates HTTP/1-like headers from the HTTP/2 trailer data once appended a string like ":" to the target buffer, while this was recently changed to ": " (a space was added after the colon) but the associated math was not updated correspondingly.

When accessed, the data is read out of bounds and causes either a crash or that the (too large) data gets passed to the libcurl callback. This might lead to a denial-of-service situation or an information disclosure if someone has a service that echoes back or uses the trailers for something.

References

Credits

- Zhouyihai Ding - FINDER
- Zhouyihai Ding - REMEDIATION_DEVELOPER
- Ray Satiro - OTHER

Affected packages

Git / github.com/curl/curl.git

Affected ranges

Type: SEMVER
Events: Introduced

7.49.0

Fixed

7.58.0

Type: GIT
Repo: https://github.com/curl/curl.git
Events: Introduced

0761a51ee0551ad9e523cbdba24ce00d22fff9c1

Fixed

fa3dbb9a147488a2943bda809c66fc497efe06cb

Affected versions

7.*

7.49.0

7.49.1

7.50.0

7.50.1

7.50.2

7.50.3

7.51.0

7.52.0

7.52.1

7.53.0

7.53.1

7.54.0

7.54.1

7.55.0

7.55.1

7.56.0

7.56.1

7.57.0