Arch Linux Security Advisory ASA-201811-9
========================================
Severity: High
Date    : 2018-11-06
CVE-ID  : CVE-2018-16839 CVE-2018-16840
Package : lib32-curl
Type    : arbitrary code execution
Remote  : Yes
Link    : https://security.archlinux.org/AVG-796

Summary
======
The package lib32-curl before version 7.62.0-1 is vulnerable to
arbitrary code execution.

Resolution
=========
Upgrade to 7.62.0-1.

# pacman -Syu "lib32-curl>=7.62.0-1"

The problems have been fixed upstream in version 7.62.0.

Workaround
=========
None.

Description
==========
- CVE-2018-16839 (arbitrary code execution)

The internal function Curl_auth_create_plain_message fails to correctly
verify that the passed in lengths for name and password aren't too
long, then calculates a buffer size to allocate. On systems with a 32
bit size_t, the math to calculate the buffer size triggers an integer
overflow when the user name length exceeds 2GB (2^31 bytes). This
integer overflow usually causes a very small buffer to actually get
allocated instead of the intended very huge one, making the use of that
buffer end up in a heap buffer overflow.

- CVE-2018-16840 (arbitrary code execution)

A heap use-after-free flaw was found in curl versions from 7.59.0
through 7.61.1 in the code related to closing an easy handle. When
closing and cleaning up an 'easy' handle in the `Curl_close()`
function, the library code first frees a struct (without nulling the
pointer) and might then subsequently erroneously write to a struct
field within that already freed struct.

Impact
=====
A malicious remote server might be able to execute arbitrary commands
by closing the connection from a client using easy handlers. A
malicious user could execute arbitrary code by passing a very long
username or password used for SASL authentication.

References
=========
https://curl.se/docs/CVE-2018-16839.html
https://github.com/curl/curl/commit/f3a24d7916b9173c69a3e0ee790102993833d6c5
https://curl.se/docs/CVE-2018-16840.html
https://github.com/curl/curl/commit/81d135d67155c5295b1033679c606165d4e28f3f
https://security.archlinux.org/CVE-2018-16839
https://security.archlinux.org/CVE-2018-16840

ArchLinux: 201811-9: lib32-curl: arbitrary code execution

November 10, 2018

Summary

- CVE-2018-16839 (arbitrary code execution) The internal function Curl_auth_create_plain_message fails to correctly verify that the passed in lengths for name and password aren't too long, then calculates a buffer size to allocate. On systems with a 32 bit size_t, the math to calculate the buffer size triggers an integer overflow when the user name length exceeds 2GB (2^31 bytes). This integer overflow usually causes a very small buffer to actually get allocated instead of the intended very huge one, making the use of that buffer end up in a heap buffer overflow.
- CVE-2018-16840 (arbitrary code execution)
A heap use-after-free flaw was found in curl versions from 7.59.0 through 7.61.1 in the code related to closing an easy handle. When closing and cleaning up an 'easy' handle in the `Curl_close()` function, the library code first frees a struct (without nulling the pointer) and might then subsequently erroneously write to a struct field within that already freed struct.

Resolution

Upgrade to 7.62.0-1. # pacman -Syu "lib32-curl>=7.62.0-1"
The problems have been fixed upstream in version 7.62.0.

References

https://curl.se/docs/CVE-2018-16839.html https://github.com/curl/curl/commit/f3a24d7916b9173c69a3e0ee790102993833d6c5 https://curl.se/docs/CVE-2018-16840.html https://github.com/curl/curl/commit/81d135d67155c5295b1033679c606165d4e28f3f https://security.archlinux.org/CVE-2018-16839 https://security.archlinux.org/CVE-2018-16840

Severity
Package : lib32-curl
Type : arbitrary code execution
Remote : Yes
Link : https://security.archlinux.org/AVG-796

Workaround

None.

Related News

5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
30.Lock Globe Motherboard Esm H320
1 - 2 min read
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
11.Locks IsometricPattern Esm H320
2 - 3 min read
Open Source maintainers and developers have been warned about the continued wave of attacks aimed at project maintainers similar to those recently
28.Lock Globe Esm H320
1 - 2 min read
A resurgence of cyberattacks targeting Linux systems in Asian campaigns through the utilization of the Pupy Remote Access Trojan (RAT) has been
27.Tablet Connections Blocks Lock Esm H320
2 - 4 min read
Canonical has recently announced the Beta release of Ubuntu Linux 24.04 LTS , codenamed "Noble Numbat." This release aims to continue Ubuntu's
21.Globe RadiatingCode Esm H320
2 - 3 min read
The open-source movement has come a long way, from its origins in the 1960s and 1970s to becoming an integral part of organizations worldwide.
13.Lock StylizedMotherboard Esm H320
2 - 3 min read
The Rust-based Edera project demonstrates a unique approach to container security that addresses cloud-native computing challenges. Let's examine
8.Locks HexConnections CodeGlobe Esm H320
2 - 3 min read
Canonical has launched Ubuntu Pro for Devices , a comprehensive offering emphasizing security and compliance for IoT device deployments. This
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved