Bug 1084532 (CVE-2018-1000122)

Summary: VUL-0: CVE-2018-1000122: curl: RTSP RTP buffer over-read
Product: [Novell Products] SUSE Security Incidents Reporter: Johannes Segitz <jsegitz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: meissner, pmonrealgonzalez
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: CVSSv3:SUSE:CVE-2018-1000122:5.4:(AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L) CVSSv3:RedHat:CVE-2018-1000122:6.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L) CVSSv3:NVD:CVE-2018-1000122:9.1:(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: Patch for SLE-12

Comment 2 Marcus Meissner 2018-03-14 07:01:45 UTC
is public now:

RTSP RTP buffer over-read
=========================

Project curl Security Advisory, March 14th 2018 -
[Permalink](https://curl.haxx.se/docs/adv_2018-b047.html)

VULNERABILITY
-------------

curl can be tricked into copying data beyond end of its heap based buffer.

When asked to transfer an RTSP URL, curl could calculate a wrong data length
to copy from the read buffer. The memcpy call would copy data from the heap
following the buffer to a storage area that would subsequently be delivered to
the application (if it didn't cause a crash). We've managed to get it to reach
several hundreds bytes out of range.

This could lead to information leakage or a denial of service for the
application if the server offering the RTSP data can trigger this.

We are not aware of any exploit of this flaw.

INFO
----

This bug was introduced in January 2010 in [this
commit](https://github.com/curl/curl/commit/bc4582b68a673d3) when RTSP support
was first added.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2018-1000122 to this issue.

CWE-126: Buffer Over-read

AFFECTED VERSIONS
-----------------

- Affected versions: curl 7.20.0 to and including curl 7.58.0
- Not affected versions: curl < 7.20.0 and curl >= 7.59.0

libcurl is used by many applications, but not always advertised as such.

THE SOLUTION
------------

In curl version 7.59.0, curl makes sure that this code never gets told to copy
more data than it is allowed to read from the buffer.

A [patch for CVE-2018-1000122](https://curl.haxx.se/CVE-2018-1000122.patch) is available.

RECOMMENDATIONS
---------------

We suggest you take one of the following actions immediately, in order of
preference:

  A - Upgrade curl to version 7.59.0

  B - Apply the patch to your version and rebuild

TIME LINE
---------

It was reported to the curl project on February 20, 2018

We contacted distros@openwall on March 8, 2018.

curl 7.59.0 was released on March 14 2018, coordinated with the publication of
this advisory.

CREDITS
-------

Detected by OSS-fuzz. Assisted by Max Dymond. Patch by Daniel Stenberg.

Thanks a lot!

-- 

  / daniel.haxx.se
Comment 3 Pedro Monreal Gonzalez 2018-03-14 14:50:03 UTC
Packages submitted:

Factory      7.58.0 Updated to version 7.59.0           sr#586981
Leap:42.3    7.37.0 Comes from SLE-12
SLE-12       7.37.0 curl-7.37.0-CVE-2018-1000122.patch  sr#158469
SLE-11-SP3   7.19.7 Not affected
SLE-11-SP1   7.19.7 Not affected
SLE-10-SP3   7.15.1 Not affected
Comment 5 Pedro Monreal Gonzalez 2018-03-14 15:12:03 UTC
Created attachment 763670 [details]
Patch for SLE-12
Comment 6 Pedro Monreal Gonzalez 2018-03-14 17:40:24 UTC
Update: Since curl in SLE11-SP3 has been recently updated from 7.19.7 to the one in SLE-12 (7.37.0), see [0], this codestream is also affected now. I have submitted on top of [1], see sr#158580.

[0] https://fate.suse.com/325339
[1] https://build.suse.de/request/show/156994
Comment 9 Swamp Workflow Management 2018-03-22 11:09:34 UTC
SUSE-SU-2018:0769-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1084521,1084524,1084532
CVE References: CVE-2018-1000120,CVE-2018-1000121,CVE-2018-1000122
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    curl-7.37.0-37.17.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    curl-7.37.0-37.17.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    curl-7.37.0-37.17.1
SUSE Linux Enterprise Server 12-SP3 (src):    curl-7.37.0-37.17.1
SUSE Linux Enterprise Server 12-SP2 (src):    curl-7.37.0-37.17.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    curl-7.37.0-37.17.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    curl-7.37.0-37.17.1
SUSE CaaS Platform ALL (src):    curl-7.37.0-37.17.1
OpenStack Cloud Magnum Orchestration 7 (src):    curl-7.37.0-37.17.1
Comment 10 Swamp Workflow Management 2018-03-23 23:09:26 UTC
openSUSE-SU-2018:0794-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1084521,1084524,1084532
CVE References: CVE-2018-1000120,CVE-2018-1000121,CVE-2018-1000122
Sources used:
openSUSE Leap 42.3 (src):    curl-7.37.0-33.1
Comment 15 Swamp Workflow Management 2018-05-17 01:11:19 UTC
SUSE-SU-2018:1323-1: An update that solves three vulnerabilities and has 7 fixes is now available.

Category: security (moderate)
Bug References: 1081056,1083463,1084137,1084521,1084524,1084532,1085124,1086825,1087922,1090194
CVE References: CVE-2018-1000120,CVE-2018-1000121,CVE-2018-1000122
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    curl-7.37.0-70.27.1
SUSE Linux Enterprise Server 11-SP4 (src):    curl-7.37.0-70.27.1
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    curl-7.37.0-70.27.1
SUSE Linux Enterprise Server 11-SECURITY (src):    curl-openssl1-7.37.0-70.27.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    curl-7.37.0-70.27.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    curl-7.37.0-70.27.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    curl-7.37.0-70.27.1
Comment 16 Marcus Meissner 2018-05-18 09:15:50 UTC
released