curl / Mailing Lists / curl-library / Single Mail

curl-library

[SECURITY ADVISORY] curl: RTSP RTP buffer over-read

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Wed, 14 Mar 2018 07:55:11 +0100 (CET)

RTSP RTP buffer over-read
=========================

Project curl Security Advisory, March 14th 2018 -
[Permalink](https://curl.haxx.se/docs/adv_2018-b047.html)

VULNERABILITY
-------------

curl can be tricked into copying data beyond end of its heap based buffer.

When asked to transfer an RTSP URL, curl could calculate a wrong data length
to copy from the read buffer. The memcpy call would copy data from the heap
following the buffer to a storage area that would subsequently be delivered to
the application (if it didn't cause a crash). We've managed to get it to reach
several hundreds bytes out of range.

This could lead to information leakage or a denial of service for the
application if the server offering the RTSP data can trigger this.

We are not aware of any exploit of this flaw.

INFO

----
This bug was introduced in January 2010 in [this
commit](https://github.com/curl/curl/commit/bc4582b68a673d3) when RTSP support
was first added.
The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2018-1000122 to this issue.
CWE-126: Buffer Over-read
AFFECTED VERSIONS
-----------------
- Affected versions: curl 7.20.0 to and including curl 7.58.0
- Not affected versions: curl < 7.20.0 and curl >= 7.59.0
libcurl is used by many applications, but not always advertised as such.
THE SOLUTION
------------
In curl version 7.59.0, curl makes sure that this code never gets told to copy
more data than it is allowed to read from the buffer.
A [patch for CVE-2018-1000122](https://curl.haxx.se/CVE-2018-1000122.patch) is available.
RECOMMENDATIONS
---------------
We suggest you take one of the following actions immediately, in order of
preference:
  A - Upgrade curl to version 7.59.0
  B - Apply the patch to your version and rebuild
TIME LINE
---------
It was reported to the curl project on February 20, 2018
We contacted distros_at_openwall on March 8, 2018.
curl 7.59.0 was released on March 14 2018, coordinated with the publication of
this advisory.
CREDITS
-------
Detected by OSS-fuzz. Assisted by Max Dymond. Patch by Daniel Stenberg.
Thanks a lot!
-- 
  / daniel.haxx.se
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:   https://curl.haxx.se/mail/etiquette.html
Received on 2018-03-14