CVE-2018-1000005

CRITICAL

Haxx Libcurl < 7.57.0 - Out-of-Bounds Read

Title source: rule
STIX 2.1

Description

libcurl 7.49.0 to and including 7.57.0 contains an out bounds read in code handling HTTP/2 trailers. It was reported (https://github.com/curl/curl/pull/2231) that reading an HTTP/2 trailer could mess up future trailers since the stored size was one byte less than required. The problem is that the code that creates HTTP/1-like headers from the HTTP/2 trailer data once appended a string like `:` to the target buffer, while this was recently changed to `: ` (a space was added after the colon) but the following math wasn't updated correspondingly. When accessed, the data is read out of bounds and causes either a crash or that the (too large) data gets passed to client write. This could lead to a denial-of-service situation or an information disclosure if someone has a service that echoes back or uses the trailers for something.

References (6)

Core 6
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1040273
Third Party Advisory vendor-advisory x_refsource_ubuntu
https://usn.ubuntu.com/3554-1/
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2018/dsa-4098
Patch, Vendor Advisory x_refsource_confirm
https://curl.haxx.se/docs/adv_2018-824a.html
Issue Tracking, Patch, Third Party Advisory x_refsource_confirm
https://github.com/curl/curl/pull/2231
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:1543

Scores

CVSS v3 9.1
EPSS 0.0037
EPSS Percentile 58.6%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Details

CWE
CWE-125
Status published
Products (6)
canonical/ubuntu_linux 14.04
canonical/ubuntu_linux 16.04
canonical/ubuntu_linux 17.10
debian/debian_linux 8.0
debian/debian_linux 9.0
haxx/libcurl 7.49.0 - 7.57.0
Published Jan 24, 2018
Tracked Since Feb 18, 2026