CURL-CVE-2018-1000122

See a problem?
Please try reporting it to the source first.

Source

https://curl.se/docs/CVE-2018-1000122.html

Import Source

https://curl.se/docs/CURL-CVE-2018-1000122.json

JSON Data

https://api.osv.dev/v1/vulns/CURL-CVE-2018-1000122

Aliases

CVE-2018-1000122

Published

2018-03-14T08:00:00Z

Modified

2024-06-07T13:53:51Z

Summary

RTSP RTP buffer over-read

Details

curl can be tricked into copying data beyond end of its heap based buffer.

When asked to transfer an RTSP URL, curl could calculate a wrong data length to copy from the read buffer. The memcpy() call would copy data from the heap following the buffer to a storage area that would subsequently be delivered to the application (if it did not cause a crash). We have managed to get it to reach several hundreds bytes out of range.

This could lead to information leakage or a denial of service for the application if the server offering the RTSP data can trigger this.

Database specific

{
    "URL": "https://curl.se/docs/CVE-2018-1000122.json",
    "last_affected": "7.58.0",
    "affects": "both",
    "www": "https://curl.se/docs/CVE-2018-1000122.html",
    "severity": "Medium",
    "CWE": {
        "id": "CWE-126",
        "desc": "Buffer Over-read"
    },
    "package": "curl"
}

References

Credits

- OSS-fuzz - FINDER
- Daniel Stenberg - REMEDIATION_DEVELOPER
- Max Dymond - OTHER

Affected packages

Git / github.com/curl/curl.git

Affected ranges

Type: SEMVER
Events: Introduced

7.20.0

Fixed

7.59.0

Type: GIT
Repo: https://github.com/curl/curl.git
Events: Introduced

bc4582b68a673d3b0f5a2e7d971605de2c8b3730

Fixed

d52dc4760f6d9ca1937eefa2093058a952465128

Affected versions

7.*

7.20.0

7.20.1

7.21.0

7.21.1

7.21.2

7.21.3

7.21.4

7.21.5

7.21.6

7.21.7

7.22.0

7.23.0

7.23.1

7.24.0

7.25.0

7.26.0

7.27.0

7.28.0

7.28.1

7.29.0

7.30.0

7.31.0

7.32.0

7.33.0

7.34.0

7.35.0

7.36.0

7.37.0

7.37.1

7.38.0

7.39.0

7.40.0

7.41.0

7.42.0

7.42.1

7.43.0

7.44.0

7.45.0

7.46.0

7.47.0

7.47.1

7.48.0

7.49.0

7.49.1

7.50.0

7.50.1

7.50.2

7.50.3

7.51.0

7.52.0

7.52.1

7.53.0

7.53.1

7.54.0

7.54.1

7.55.0

7.55.1

7.56.0

7.56.1

7.57.0

7.58.0

Database specific

vanir_signatures

[
    {
        "source": "https://github.com/curl/curl.git/commit/d52dc4760f6d9ca1937eefa2093058a952465128",
        "signature_version": "v1",
        "deprecated": false,
        "id": "CURL-CVE-2018-1000122-b3abb50e",
        "target": {
            "function": "readwrite_data",
            "file": "lib/transfer.c"
        },
        "signature_type": "Function",
        "digest": {
            "length": 7977.0,
            "function_hash": "161498815877371629434851987410308038878"
        }
    },
    {
        "source": "https://github.com/curl/curl.git/commit/d52dc4760f6d9ca1937eefa2093058a952465128",
        "signature_version": "v1",
        "deprecated": false,
        "id": "CURL-CVE-2018-1000122-c8b5f2ef",
        "target": {
            "file": "lib/transfer.c"
        },
        "signature_type": "Line",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "225307090206503833151540635093094317452",
                "290229519799572691106036723336395442631",
                "37104245460420581268215469924813140376",
                "180905971171888284277329229387145828511",
                "163226654129534360720460174640381834241",
                "264452607322690180977503567287561379955"
            ]
        }
    }
]