ArchLinux: 201811-4: curl: multiple issues
Summary
- CVE-2018-16840 (arbitrary code execution)
A heap use-after-free flaw was found in curl versions from 7.59.0
through 7.61.1 in the code related to closing an easy handle. When
closing and cleaning up an 'easy' handle in the `Curl_close()`
function, the library code first frees a struct (without nulling the
pointer) and might then subsequently erroneously write to a struct
field within that already freed struct.
- CVE-2018-16842 (information disclosure)
Curl versions 7.14.1 through 7.61.1 are vulnerable to a heap-based
buffer over-read in the tool_msgs.c:voutf() function that may result in
information exposure and denial of service.
This display function formats the output to wrap at 80 columns. The
wrap logic is however flawed, so if a single word in the message is
itself longer than 80 bytes the buffer arithmetic calculates the
remainder wrong and will end up reading behind the end of the buffer.
Resolution
Upgrade to 7.62.0-1.
# pacman -Syu "curl>=7.62.0-1"
The problems have been fixed upstream in version 7.62.0.
References
https://curl.se/docs/CVE-2018-16840.html https://github.com/curl/curl/commit/81d135d67155c5295b1033679c606165d4e28f3f https://curl.se/docs/CVE-2018-16842.html https://github.com/curl/curl/commit/d530e92f59ae9bb2d47066c3c460b25d2ffeb211 https://security.archlinux.org/CVE-2018-16840 https://security.archlinux.org/CVE-2018-16842
Workaround
None.