CURL-CVE-2018-1000005

See a problem?
Please try reporting it to the source first.

Source

https://curl.se/docs/CVE-2018-1000005.html

Import Source

https://curl.se/docs/CURL-CVE-2018-1000005.json

JSON Data

https://api.osv.dev/v1/vulns/CURL-CVE-2018-1000005

Aliases

CVE-2018-1000005

Published

2018-01-24T08:00:00Z

Modified

2024-06-07T13:53:51Z

Summary

HTTP/2 trailer out-of-bounds read

Details

libcurl contains an out bounds read in code handling HTTP/2 trailers.

It was reported that reading an HTTP/2 trailer could mess up future trailers since the stored size was one byte less than required.

The problem is that the code that creates HTTP/1-like headers from the HTTP/2 trailer data once appended a string like ":" to the target buffer, while this was recently changed to ": " (a space was added after the colon) but the associated math was not updated correspondingly.

When accessed, the data is read out of bounds and causes either a crash or that the (too large) data gets passed to the libcurl callback. This might lead to a denial-of-service situation or an information disclosure if someone has a service that echoes back or uses the trailers for something.

Database specific

{
    "www": "https://curl.se/docs/CVE-2018-1000005.html",
    "severity": "Low",
    "CWE": {
        "id": "CWE-126",
        "desc": "Buffer Over-read"
    },
    "URL": "https://curl.se/docs/CVE-2018-1000005.json",
    "affects": "both",
    "package": "curl",
    "last_affected": "7.57.0"
}

References

Credits

- Zhouyihai Ding - FINDER
- Zhouyihai Ding - REMEDIATION_DEVELOPER
- Ray Satiro - OTHER

Affected packages

Git / github.com/curl/curl.git

Affected ranges

Type: SEMVER
Events: Introduced

7.49.0

Fixed

7.58.0

Type: GIT
Repo: https://github.com/curl/curl.git
Events: Introduced

0761a51ee0551ad9e523cbdba24ce00d22fff9c1

Fixed

fa3dbb9a147488a2943bda809c66fc497efe06cb

Affected versions

7.*

7.49.0

7.49.1

7.50.0

7.50.1

7.50.2

7.50.3

7.51.0

7.52.0

7.52.1

7.53.0

7.53.1

7.54.0

7.54.1

7.55.0

7.55.1

7.56.0

7.56.1

7.57.0

Database specific

vanir_signatures

[
    {
        "signature_version": "v1",
        "signature_type": "Line",
        "target": {
            "file": "lib/http2.c"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "282594126888140028228277749074138099553",
                "40991569800935917858892231272272988584",
                "95792618963566449240292544714322976924",
                "197448932819711430286793144722352352410"
            ]
        },
        "deprecated": false,
        "id": "CURL-CVE-2018-1000005-71fc75cd",
        "source": "https://github.com/curl/curl.git/commit/fa3dbb9a147488a2943bda809c66fc497efe06cb"
    },
    {
        "signature_version": "v1",
        "signature_type": "Function",
        "target": {
            "function": "on_header",
            "file": "lib/http2.c"
        },
        "digest": {
            "function_hash": "67385459130250674587968461156705047700",
            "length": 2561.0
        },
        "deprecated": false,
        "id": "CURL-CVE-2018-1000005-d7fb97d0",
        "source": "https://github.com/curl/curl.git/commit/fa3dbb9a147488a2943bda809c66fc497efe06cb"
    }
]