Bug 1084524 - (CVE-2018-1000121) VUL-1: CVE-2018-1000121: curl: LDAP NULL pointer dereference
(CVE-2018-1000121)
VUL-1: CVE-2018-1000121: curl: LDAP NULL pointer dereference
Status: RESOLVED FIXED
: 1085215 (view as bug list)
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Minor
: ---
Assigned To: Security Team bot
Security Team bot
CVSSv3:RedHat:CVE-2018-1000121:5.3:(A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-03-08 14:49 UTC by Johannes Segitz
Modified: 2019-08-16 15:46 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
SLE12 patch (1.34 KB, patch)
2018-03-14 15:12 UTC, Pedro Monreal Gonzalez
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2018-03-08 14:49:54 UTC
Created attachment 763111 [details]
Upstream patch

From: Daniel Stenberg

I would like to make you all aware of this curl security issue and ask for a
CVE for it. This is curl sec-issue 2 out of 2 that are scheduled to be
announced on March 21.

The URL for the patch in the advisory works, but the ultimate URL will be
changed when this advisory goes public.

LDAP NULL pointer dereference
=============================

Project curl Security Advisory, March 21st 2018 -
[Permalink](https://curl.haxx.se/docs/adv_2018-97a2.html)

VULNERABILITY
-------------

curl might dereference a near-NULL address when getting an LDAP URL.

The function `ldap_get_attribute_ber()` is called to get attributes, but it
turns out that it can return `LDAP_SUCCESS` and still return a `NULL` pointer
in the result pointer when getting a particularly crafted response. This was a
surprise to us and to the code.
libcurl-using applications that allow LDAP URLs, or that allow redirects to
LDAP URLs could be made to crash by a malicious server.

We are not aware of any exploit of this flaw.

INFO
----

The bug is only present in curl versions built to use OpenLDAP.

This bug was introduced in May 2010 in [this
commit](https://github.com/curl/curl/commit/2e056353b00d09).

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2018-XXXXXXX to this issue.

AFFECTED VERSIONS
-----------------

- Affected versions: curl 7.21.0 to and including 7.58.0
- Not affected versions: curl < 7.21.0 and curl >= 7.59.0

libcurl is used by many applications, but not always advertised as such.

THE SOLUTION
------------

In curl version 7.59.0, curl checks the pointer properly before using it.

A [patch for CVE-2018-XXXXXXX](https://curl.haxx.se/97a2.patch) is available.

RECOMMENDATIONS
---------------

We suggest you take one of the following actions immediately, in order of
preference:

  A - Upgrade curl to version 7.59.0

  B - Apply the patch to your version and rebuild

  C - Make sure you disable LDAP in your transfers

TIME LINE
---------

It was reported to the curl project on March 6, 2018

We contacted distros@openwall on March 7, 2018.

curl 7.59.0 was released on March 21 2018, coordinated with the publication
of this advisory.

CREDITS
-------

Reported by Dario Weisser. Patch by Daniel Stenberg.
Comment 1 Johannes Segitz 2018-03-08 14:50:20 UTC
This is a embargoed bug. This means that this information is not public. Please
- do not talk to other people about this unless they're involved in fixing the issue
- do not submit this into OBS (e.g. fix Leap) until this is public
- do not make this bug public
- Please be aware that the SUSE:SLE-15:GA codestream is available via OBS. This means that you can't submit security fixes for embargoed issues to SLE 15 until they become public.

CRD: 2018-03-21
Comment 2 Johannes Segitz 2018-03-14 07:39:11 UTC
*** Bug 1085215 has been marked as a duplicate of this bug. ***
Comment 3 Johannes Segitz 2018-03-14 07:40:03 UTC
public
Comment 4 Pedro Monreal Gonzalez 2018-03-14 14:52:02 UTC
Packages submitted:

Factory     7.58.0      Updated to version 7.59.0           sr#586981
Leap:42.3   7.37.0      Comes from SLE-12
SLE-12      7.37.0      curl-7.37.0-CVE-2018-1000121.patch  sr#158469
SLE-11-SP3  7.19.7      Not affected
SLE-11-SP1  7.19.7      Not affected
SLE-10-SP3  7.15.1      Not affected
Comment 6 Pedro Monreal Gonzalez 2018-03-14 15:12:57 UTC
Created attachment 763671 [details]
SLE12 patch
Comment 7 Pedro Monreal Gonzalez 2018-03-14 17:40:53 UTC
Update: Since curl in SLE11-SP3 has been recently updated from 7.19.7 to the one in SLE-12 (7.37.0), see [0], this codestream is also affected now. I have submitted on top of [1], see sr#158580.

[0] https://fate.suse.com/325339
[1] https://build.suse.de/request/show/156994
Comment 10 Swamp Workflow Management 2018-03-22 11:09:26 UTC
SUSE-SU-2018:0769-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1084521,1084524,1084532
CVE References: CVE-2018-1000120,CVE-2018-1000121,CVE-2018-1000122
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    curl-7.37.0-37.17.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    curl-7.37.0-37.17.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    curl-7.37.0-37.17.1
SUSE Linux Enterprise Server 12-SP3 (src):    curl-7.37.0-37.17.1
SUSE Linux Enterprise Server 12-SP2 (src):    curl-7.37.0-37.17.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    curl-7.37.0-37.17.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    curl-7.37.0-37.17.1
SUSE CaaS Platform ALL (src):    curl-7.37.0-37.17.1
OpenStack Cloud Magnum Orchestration 7 (src):    curl-7.37.0-37.17.1
Comment 11 Swamp Workflow Management 2018-03-23 23:09:19 UTC
openSUSE-SU-2018:0794-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1084521,1084524,1084532
CVE References: CVE-2018-1000120,CVE-2018-1000121,CVE-2018-1000122
Sources used:
openSUSE Leap 42.3 (src):    curl-7.37.0-33.1
Comment 16 Swamp Workflow Management 2018-05-17 01:11:08 UTC
SUSE-SU-2018:1323-1: An update that solves three vulnerabilities and has 7 fixes is now available.

Category: security (moderate)
Bug References: 1081056,1083463,1084137,1084521,1084524,1084532,1085124,1086825,1087922,1090194
CVE References: CVE-2018-1000120,CVE-2018-1000121,CVE-2018-1000122
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    curl-7.37.0-70.27.1
SUSE Linux Enterprise Server 11-SP4 (src):    curl-7.37.0-70.27.1
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    curl-7.37.0-70.27.1
SUSE Linux Enterprise Server 11-SECURITY (src):    curl-openssl1-7.37.0-70.27.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    curl-7.37.0-70.27.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    curl-7.37.0-70.27.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    curl-7.37.0-70.27.1
Comment 17 Marcus Meissner 2018-05-18 09:15:25 UTC
released