Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 650056 (CVE-2018-1000120, CVE-2018-1000121, CVE-2018-1000122) - <net-misc/curl-7.59.0: multiple vulnerabilities (CVE-2018-{1000120,1000121,1000122})
Summary: <net-misc/curl-7.59.0: multiple vulnerabilities (CVE-2018-{1000120,1000121,10...
Alias: CVE-2018-1000120, CVE-2018-1000121, CVE-2018-1000122
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: A3 [glsa+ cve]
Depends on:
Blocks: CVE-2018-1000005, CVE-2018-1000007
  Show dependency tree
Reported: 2018-03-09 21:35 UTC by Thomas Deutschmann (RETIRED)
Modified: 2018-07-27 21:27 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---
stable-bot: sanity-check+


Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann (RETIRED) gentoo-dev 2018-03-09 21:35:02 UTC
Incoming details.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2018-03-14 11:29:31 UTC
CVE-2018-1000120: FTP path trickery leads to NIL byte out of bounds write
curl can be fooled into writing a zero byte out of bounds.

This bug can trigger when curl is told to work on an FTP URL, with the setting to only issue a single CWD command (--ftp-method singlecwd or the libcurl alternative CURLOPT_FTP_FILEMETHOD).

curl then URL-decodes the given path, calls strlen() on the result and deducts the length of the file name part to find the end of the directory within the buffer. It then writes a zero byte on that index, in a buffer allocated on the heap.

If the directory part of the URL contains a "%00" sequence, the directory length might end up shorter than the file name path, making the calculation size_t index = directory_len - filepart_len end up with a huge index variable for where the zero byte gets stored: heap_buffer[index] = 0. On several architectures that huge index will wrap and work as a negative value, thus overwriting memory before the intended heap buffer.

By using different file part lengths and putting %00 in different places in the URL, an attacker that can control what paths a curl-using application uses can write that zero byte on different indexes.

CVE-2018-1000121: LDAP NULL pointer dereference
curl might dereference a near-NULL address when getting an LDAP URL.

The function ldap_get_attribute_ber() is called to get attributes, but it turns out that it can return LDAP_SUCCESS and still return a NULL pointer in the result pointer when getting a particularly crafted response. This was a surprise to us and to the code.

libcurl-using applications that allow LDAP URLs, or that allow redirects to LDAP URLs could be made to crash by a malicious server.

CVE-2018-1000122: RTSP RTP buffer over-read
curl can be tricked into copying data beyond end of its heap based buffer.

When asked to transfer an RTSP URL, curl could calculate a wrong data length to copy from the read buffer. The memcpy call would copy data from the heap following the buffer to a storage area that would subsequently be delivered to the application (if it didn't cause a crash). We've managed to get it to reach several hundreds bytes out of range.

This could lead to information leakage or a denial of service for the application if the server offering the RTSP data can trigger this.
Comment 2 Anthony Basile gentoo-dev 2018-03-16 23:10:04 UTC
Please note that curl-7.59.0 (latest version addressing the above issues) is on the tree.  Its ready for rapid stabilization:

KEYWORDS="alpha amd64 arm arm64 hppa ia64 ppc ppc64 sparc x86"
Comment 3 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2018-03-17 10:10:13 UTC
amd64 stable
Comment 4 Matt Turner gentoo-dev 2018-03-17 17:47:05 UTC
alpha stable
Comment 5 Matt Turner gentoo-dev 2018-03-17 23:10:35 UTC
ppc/ppc64 stable
Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev 2018-03-18 00:43:42 UTC
x86 stable
Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev 2018-03-18 11:16:44 UTC
ia64 stable
Comment 8 Mart Raudsepp gentoo-dev 2018-03-20 21:43:39 UTC
arm64 stable
Comment 9 Matt Turner gentoo-dev 2018-03-21 21:41:15 UTC
hppa stable
Comment 10 Markus Meier gentoo-dev 2018-04-08 10:55:41 UTC
arm stable, all arches done.
Comment 11 Aaron Bauman (RETIRED) gentoo-dev 2018-04-08 14:01:28 UTC
GLSA request filed.  sparc was not CC'ed so giving them a chance.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2018-04-08 14:30:20 UTC
This issue was resolved and addressed in
 GLSA 201804-04 at
by GLSA coordinator Aaron Bauman (b-man).
Comment 13 Aaron Bauman (RETIRED) gentoo-dev 2018-04-08 14:31:41 UTC
Re-opened for cleanup and hopefully sparc can stabilize.
Comment 14 Larry the Git Cow gentoo-dev 2018-04-11 21:22:07 UTC
The bug has been referenced in the following commit(s):

commit de11a48ccc58edcc85ec60d95049595535957c2e
Author:     Rolf Eike Beer <>
AuthorDate: 2018-04-11 17:38:25 +0000
Commit:     Sergei Trofimovich <>
CommitDate: 2018-04-11 21:21:52 +0000

    net-misc/curl: stable 7.59.0 for sparc
    Package-Manager: Portage-2.3.24, Repoman-2.3.6
    RepoMan-Options: --include-arches="sparc"

 net-misc/curl/curl-7.59.0.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)}
Comment 15 Aaron Bauman (RETIRED) gentoo-dev 2018-06-07 20:22:49 UTC
CC'ing exp arches due to the importance of curl.
Comment 16 Aaron Bauman (RETIRED) gentoo-dev 2018-06-07 20:26:59 UTC
cleanup will happen in bug 655266