CURL-CVE-2018-1000005

Source
https://curl.se/docs/CVE-2018-1000005.html
Import Source
https://curl.se/docs/CURL-CVE-2018-1000005.json
JSON Data
https://api.osv.dev/v1/vulns/CURL-CVE-2018-1000005
Aliases
Published
2018-01-24T08:00:00Z
Modified
2024-06-07T13:53:51Z
Summary
HTTP/2 trailer out-of-bounds read
Details

libcurl contains an out bounds read in code handling HTTP/2 trailers.

It was reported that reading an HTTP/2 trailer could mess up future trailers since the stored size was one byte less than required.

The problem is that the code that creates HTTP/1-like headers from the HTTP/2 trailer data once appended a string like ":" to the target buffer, while this was recently changed to ": " (a space was added after the colon) but the associated math was not updated correspondingly.

When accessed, the data is read out of bounds and causes either a crash or that the (too large) data gets passed to the libcurl callback. This might lead to a denial-of-service situation or an information disclosure if someone has a service that echoes back or uses the trailers for something.

References
Credits
    • Zhouyihai Ding - FINDER
    • Zhouyihai Ding - REMEDIATION_DEVELOPER
    • Ray Satiro - OTHER

Affected packages

Git / github.com/curl/curl.git

Affected ranges

Type
SEMVER
Events
Introduced
7.49.0
Fixed
7.58.0
Type
GIT
Repo
https://github.com/curl/curl.git
Events

Affected versions

7.*

7.49.0
7.49.1
7.50.0
7.50.1
7.50.2
7.50.3
7.51.0
7.52.0
7.52.1
7.53.0
7.53.1
7.54.0
7.54.1
7.55.0
7.55.1
7.56.0
7.56.1
7.57.0