Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 645698 (CVE-2018-1000005, CVE-2018-1000007) - <net-misc/curl-7.58.0: multiple vulnerabilities (CVE-2018-{1000005,1000007})
Summary: <net-misc/curl-7.58.0: multiple vulnerabilities (CVE-2018-{1000005,1000007})
Status: RESOLVED FIXED
Alias: CVE-2018-1000005, CVE-2018-1000007
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A3 [glsa+ cve]
Keywords:
Depends on: CVE-2018-1000120, CVE-2018-1000121, CVE-2018-1000122
Blocks:
  Show dependency tree
 
Reported: 2018-01-25 15:30 UTC by GLSAMaker/CVETool Bot
Modified: 2018-04-08 14:30 UTC (History)
1 user (show)

See Also:
Package list:
net-misc/curl-7.58.0 app-arch/brotli-1.0.2
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2018-01-25 15:30:45 UTC
CVE-2018-1000005 (https://nvd.nist.gov/vuln/detail/CVE-2018-1000005):
  libcurl 7.49.0 to and including 7.57.0 contains an out bounds read in code
  handling HTTP/2 trailers. It was reported
  (https://github.com/curl/curl/pull/2231) that reading an HTTP/2 trailer
  could mess up future trailers since the stored size was one byte less than
  required. The problem is that the code that creates HTTP/1-like headers from
  the HTTP/2 trailer data once appended a string like `:` to the target
  buffer, while this was recently changed to `: ` (a space was added after the
  colon) but the following math wasn't updated correspondingly. When accessed,
  the data is read out of bounds and causes either a crash or that the (too
  large) data gets passed to client write. This could lead to a
  denial-of-service situation or an information disclosure if someone has a
  service that echoes back or uses the trailers for something.

CVE-2018-1000007 (https://nvd.nist.gov/vuln/detail/CVE-2018-1000007):
  libcurl 7.1 through 7.57.0 might accidentally leak authentication data to
  third parties. When asked to send custom headers in its HTTP requests,
  libcurl will send that set of headers first to the host in the initial URL
  but also, if asked to follow redirects and a 30X HTTP response code is
  returned, to the host mentioned in URL in the `Location:` response header
  value. Sending the same set of headers to subsequest hosts is in particular
  a problem for applications that pass on custom `Authorization:` headers, as
  this header often contains privacy sensitive information or data that could
  allow others to impersonate the libcurl-using client's request.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2018-01-25 15:32:37 UTC
References:
https://curl.haxx.se/docs/adv_2018-b3bf.html
https://curl.haxx.se/docs/adv_2018-824a.html
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2018-01-26 22:04:17 UTC
@ Maintainer(s): Can we start stabilization of =net-misc/curl-7.58.0?
Comment 3 Anthony Basile gentoo-dev 2018-01-27 13:17:49 UTC
Its ready:

KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Comment 4 Stabilization helper bot gentoo-dev 2018-01-27 14:01:22 UTC
An automated check of this bug failed - repoman reported dependency errors (107 lines truncated): 

> dependency.bad net-misc/curl/curl-7.58.0.ebuild: DEPEND: amd64(default/linux/amd64/17.0) ['app-arch/brotli:=']
> dependency.bad net-misc/curl/curl-7.58.0.ebuild: RDEPEND: amd64(default/linux/amd64/17.0) ['app-arch/brotli:=']
> dependency.bad net-misc/curl/curl-7.58.0.ebuild: DEPEND: amd64(default/linux/amd64/17.0/desktop) ['app-arch/brotli:=']
Comment 5 Sergei Trofimovich (RETIRED) gentoo-dev 2018-01-28 11:51:00 UTC
ia64 stable
Comment 6 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2018-01-28 13:02:24 UTC
amd64 stable
Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev 2018-01-28 15:34:16 UTC
ppc/ppc64 stable
Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev 2018-01-28 17:10:38 UTC
hppa stable
Comment 9 Sergei Trofimovich (RETIRED) gentoo-dev 2018-02-02 20:40:14 UTC
commit 27555169b715bb11b4f2fdf9727b0d52140c04e9
Author: Rolf Eike Beer <eike@sf-mail.de>
Date:   Wed Jan 31 18:36:07 2018 +0100

    net-misc/curl: stable 7.58.0 for sparc, bug #645698
Comment 10 Markus Meier gentoo-dev 2018-02-05 21:26:36 UTC
arm stable
Comment 11 Thomas Deutschmann (RETIRED) gentoo-dev 2018-02-07 06:37:32 UTC
x86 stable
Comment 12 Mart Raudsepp gentoo-dev 2018-03-02 23:52:09 UTC
arm64 stable
Comment 13 Tobias Klausmann (RETIRED) gentoo-dev 2018-03-06 12:38:00 UTC
Stable on alpha.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2018-04-08 14:30:13 UTC
This issue was resolved and addressed in
 GLSA 201804-04 at https://security.gentoo.org/glsa/201804-04
by GLSA coordinator Aaron Bauman (b-man).