SB2018051617 - Heap-based buffer over-read in curl (Alpine package)

Description

This security bulletin contains information about 1 security vulnerability.

1) Heap-based buffer over-read (CVE-ID: CVE-2018-1000301)

The vulnerability allows a remote attacker to obtain potentially sensitive information and cause DoS condition on the target system.

The weakness exists due to heap-based buffer over-read. When servers send RTSP responses back to curl, the data starts out with a set of headers. curl parses that data to separate it into a number of headers to deal with those appropriately and to find the end of the headers that signal the start of the "body" part. The function that splits up the response into headers is called Curl_http_readwrite_headers() and in situations where it can't find a single header in the buffer, it might end up leaving a pointer pointing into the buffer instead of to the start of the buffer which then later on may lead to an out of buffer read when code assumes that pointer points to a full buffer size worth of memory to use. A remote attacker can gain access to potentially sensitive information and cause the service to crash.

Remediation

Install update from vendor's website.

References

• https://git.alpinelinux.org/aports/commit/?id=201bea07cf7afc2a3cae3e5f5aa927a1c1a66c14
• https://git.alpinelinux.org/aports/commit/?id=0a8c160f5bfb61a52f6baa67dd5ce1e6b72038ae
• https://git.alpinelinux.org/aports/commit/?id=1acc8d384b7bbc2890a59f59ab217ef2918ed6db
• https://git.alpinelinux.org/aports/commit/?id=4cf78dce7e8795b6066bcfcac60143bd68d87bfb
• https://git.alpinelinux.org/aports/commit/?id=816ad945de1a845d5a3f498f361c5ec1f1fdf632
• https://git.alpinelinux.org/aports/commit/?id=81f97eef6dbd21c460ec2d7791d4c4fd5b8a7d1c