Bugzilla – Bug 1084532
VUL-0: CVE-2018-1000122: curl: RTSP RTP buffer over-read
Last modified: 2019-05-29 08:28:13 UTC
is public now: RTSP RTP buffer over-read ========================= Project curl Security Advisory, March 14th 2018 - [Permalink](https://curl.haxx.se/docs/adv_2018-b047.html) VULNERABILITY ------------- curl can be tricked into copying data beyond end of its heap based buffer. When asked to transfer an RTSP URL, curl could calculate a wrong data length to copy from the read buffer. The memcpy call would copy data from the heap following the buffer to a storage area that would subsequently be delivered to the application (if it didn't cause a crash). We've managed to get it to reach several hundreds bytes out of range. This could lead to information leakage or a denial of service for the application if the server offering the RTSP data can trigger this. We are not aware of any exploit of this flaw. INFO ---- This bug was introduced in January 2010 in [this commit](https://github.com/curl/curl/commit/bc4582b68a673d3) when RTSP support was first added. The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2018-1000122 to this issue. CWE-126: Buffer Over-read AFFECTED VERSIONS ----------------- - Affected versions: curl 7.20.0 to and including curl 7.58.0 - Not affected versions: curl < 7.20.0 and curl >= 7.59.0 libcurl is used by many applications, but not always advertised as such. THE SOLUTION ------------ In curl version 7.59.0, curl makes sure that this code never gets told to copy more data than it is allowed to read from the buffer. A [patch for CVE-2018-1000122](https://curl.haxx.se/CVE-2018-1000122.patch) is available. RECOMMENDATIONS --------------- We suggest you take one of the following actions immediately, in order of preference: A - Upgrade curl to version 7.59.0 B - Apply the patch to your version and rebuild TIME LINE --------- It was reported to the curl project on February 20, 2018 We contacted distros@openwall on March 8, 2018. curl 7.59.0 was released on March 14 2018, coordinated with the publication of this advisory. CREDITS ------- Detected by OSS-fuzz. Assisted by Max Dymond. Patch by Daniel Stenberg. Thanks a lot! -- / daniel.haxx.se
Packages submitted: Factory 7.58.0 Updated to version 7.59.0 sr#586981 Leap:42.3 7.37.0 Comes from SLE-12 SLE-12 7.37.0 curl-7.37.0-CVE-2018-1000122.patch sr#158469 SLE-11-SP3 7.19.7 Not affected SLE-11-SP1 7.19.7 Not affected SLE-10-SP3 7.15.1 Not affected
Created attachment 763670 [details] Patch for SLE-12
Update: Since curl in SLE11-SP3 has been recently updated from 7.19.7 to the one in SLE-12 (7.37.0), see [0], this codestream is also affected now. I have submitted on top of [1], see sr#158580. [0] https://fate.suse.com/325339 [1] https://build.suse.de/request/show/156994
SUSE-SU-2018:0769-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 1084521,1084524,1084532 CVE References: CVE-2018-1000120,CVE-2018-1000121,CVE-2018-1000122 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP3 (src): curl-7.37.0-37.17.1 SUSE Linux Enterprise Software Development Kit 12-SP2 (src): curl-7.37.0-37.17.1 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src): curl-7.37.0-37.17.1 SUSE Linux Enterprise Server 12-SP3 (src): curl-7.37.0-37.17.1 SUSE Linux Enterprise Server 12-SP2 (src): curl-7.37.0-37.17.1 SUSE Linux Enterprise Desktop 12-SP3 (src): curl-7.37.0-37.17.1 SUSE Linux Enterprise Desktop 12-SP2 (src): curl-7.37.0-37.17.1 SUSE CaaS Platform ALL (src): curl-7.37.0-37.17.1 OpenStack Cloud Magnum Orchestration 7 (src): curl-7.37.0-37.17.1
openSUSE-SU-2018:0794-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 1084521,1084524,1084532 CVE References: CVE-2018-1000120,CVE-2018-1000121,CVE-2018-1000122 Sources used: openSUSE Leap 42.3 (src): curl-7.37.0-33.1
SUSE-SU-2018:1323-1: An update that solves three vulnerabilities and has 7 fixes is now available. Category: security (moderate) Bug References: 1081056,1083463,1084137,1084521,1084524,1084532,1085124,1086825,1087922,1090194 CVE References: CVE-2018-1000120,CVE-2018-1000121,CVE-2018-1000122 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): curl-7.37.0-70.27.1 SUSE Linux Enterprise Server 11-SP4 (src): curl-7.37.0-70.27.1 SUSE Linux Enterprise Server 11-SP3-LTSS (src): curl-7.37.0-70.27.1 SUSE Linux Enterprise Server 11-SECURITY (src): curl-openssl1-7.37.0-70.27.1 SUSE Linux Enterprise Point of Sale 11-SP3 (src): curl-7.37.0-70.27.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): curl-7.37.0-70.27.1 SUSE Linux Enterprise Debuginfo 11-SP3 (src): curl-7.37.0-70.27.1
released