Bugzilla – Bug 1084524
VUL-1: CVE-2018-1000121: curl: LDAP NULL pointer dereference
Last modified: 2019-08-16 15:46:39 UTC
Created attachment 763111 [details] Upstream patch From: Daniel Stenberg I would like to make you all aware of this curl security issue and ask for a CVE for it. This is curl sec-issue 2 out of 2 that are scheduled to be announced on March 21. The URL for the patch in the advisory works, but the ultimate URL will be changed when this advisory goes public. LDAP NULL pointer dereference ============================= Project curl Security Advisory, March 21st 2018 - [Permalink](https://curl.haxx.se/docs/adv_2018-97a2.html) VULNERABILITY ------------- curl might dereference a near-NULL address when getting an LDAP URL. The function `ldap_get_attribute_ber()` is called to get attributes, but it turns out that it can return `LDAP_SUCCESS` and still return a `NULL` pointer in the result pointer when getting a particularly crafted response. This was a surprise to us and to the code. libcurl-using applications that allow LDAP URLs, or that allow redirects to LDAP URLs could be made to crash by a malicious server. We are not aware of any exploit of this flaw. INFO ---- The bug is only present in curl versions built to use OpenLDAP. This bug was introduced in May 2010 in [this commit](https://github.com/curl/curl/commit/2e056353b00d09). The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2018-XXXXXXX to this issue. AFFECTED VERSIONS ----------------- - Affected versions: curl 7.21.0 to and including 7.58.0 - Not affected versions: curl < 7.21.0 and curl >= 7.59.0 libcurl is used by many applications, but not always advertised as such. THE SOLUTION ------------ In curl version 7.59.0, curl checks the pointer properly before using it. A [patch for CVE-2018-XXXXXXX](https://curl.haxx.se/97a2.patch) is available. RECOMMENDATIONS --------------- We suggest you take one of the following actions immediately, in order of preference: A - Upgrade curl to version 7.59.0 B - Apply the patch to your version and rebuild C - Make sure you disable LDAP in your transfers TIME LINE --------- It was reported to the curl project on March 6, 2018 We contacted distros@openwall on March 7, 2018. curl 7.59.0 was released on March 21 2018, coordinated with the publication of this advisory. CREDITS ------- Reported by Dario Weisser. Patch by Daniel Stenberg.
This is a embargoed bug. This means that this information is not public. Please - do not talk to other people about this unless they're involved in fixing the issue - do not submit this into OBS (e.g. fix Leap) until this is public - do not make this bug public - Please be aware that the SUSE:SLE-15:GA codestream is available via OBS. This means that you can't submit security fixes for embargoed issues to SLE 15 until they become public. CRD: 2018-03-21
*** Bug 1085215 has been marked as a duplicate of this bug. ***
public
Packages submitted: Factory 7.58.0 Updated to version 7.59.0 sr#586981 Leap:42.3 7.37.0 Comes from SLE-12 SLE-12 7.37.0 curl-7.37.0-CVE-2018-1000121.patch sr#158469 SLE-11-SP3 7.19.7 Not affected SLE-11-SP1 7.19.7 Not affected SLE-10-SP3 7.15.1 Not affected
Created attachment 763671 [details] SLE12 patch
Update: Since curl in SLE11-SP3 has been recently updated from 7.19.7 to the one in SLE-12 (7.37.0), see [0], this codestream is also affected now. I have submitted on top of [1], see sr#158580. [0] https://fate.suse.com/325339 [1] https://build.suse.de/request/show/156994
SUSE-SU-2018:0769-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 1084521,1084524,1084532 CVE References: CVE-2018-1000120,CVE-2018-1000121,CVE-2018-1000122 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP3 (src): curl-7.37.0-37.17.1 SUSE Linux Enterprise Software Development Kit 12-SP2 (src): curl-7.37.0-37.17.1 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src): curl-7.37.0-37.17.1 SUSE Linux Enterprise Server 12-SP3 (src): curl-7.37.0-37.17.1 SUSE Linux Enterprise Server 12-SP2 (src): curl-7.37.0-37.17.1 SUSE Linux Enterprise Desktop 12-SP3 (src): curl-7.37.0-37.17.1 SUSE Linux Enterprise Desktop 12-SP2 (src): curl-7.37.0-37.17.1 SUSE CaaS Platform ALL (src): curl-7.37.0-37.17.1 OpenStack Cloud Magnum Orchestration 7 (src): curl-7.37.0-37.17.1
openSUSE-SU-2018:0794-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 1084521,1084524,1084532 CVE References: CVE-2018-1000120,CVE-2018-1000121,CVE-2018-1000122 Sources used: openSUSE Leap 42.3 (src): curl-7.37.0-33.1
SUSE-SU-2018:1323-1: An update that solves three vulnerabilities and has 7 fixes is now available. Category: security (moderate) Bug References: 1081056,1083463,1084137,1084521,1084524,1084532,1085124,1086825,1087922,1090194 CVE References: CVE-2018-1000120,CVE-2018-1000121,CVE-2018-1000122 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): curl-7.37.0-70.27.1 SUSE Linux Enterprise Server 11-SP4 (src): curl-7.37.0-70.27.1 SUSE Linux Enterprise Server 11-SP3-LTSS (src): curl-7.37.0-70.27.1 SUSE Linux Enterprise Server 11-SECURITY (src): curl-openssl1-7.37.0-70.27.1 SUSE Linux Enterprise Point of Sale 11-SP3 (src): curl-7.37.0-70.27.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): curl-7.37.0-70.27.1 SUSE Linux Enterprise Debuginfo 11-SP3 (src): curl-7.37.0-70.27.1
released