Bug 1085215 - VUL-0: CVE-2018-1000121: curl: LDAP NULL pointer dereference
VUL-0: CVE-2018-1000121: curl: LDAP NULL pointer dereference
Status: RESOLVED DUPLICATE of bug 1084524
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P5 - None : Normal
: ---
Assigned To: Pedro Monreal Gonzalez
Security Team bot
https://smash.suse.de/issue/201809/
CVSSv3:RedHat:CVE-2018-1000121:5.3:(A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-03-14 07:04 UTC by Marcus Meissner
Modified: 2019-05-01 14:12 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2018-03-14 07:04:58 UTC
CVE-2018-1000121

https://curl.haxx.se/docs/adv_2018-97a2.html


LDAP NULL pointer dereference
=============================

Project curl Security Advisory, March 14th 2018 -
[Permalink](https://curl.haxx.se/docs/adv_2018-97a2.html)

VULNERABILITY
-------------

curl might dereference a near-NULL address when getting an LDAP URL.

The function `ldap_get_attribute_ber()` is called to get attributes, but it
turns out that it can return `LDAP_SUCCESS` and still return a `NULL` pointer
in the result pointer when getting a particularly crafted response. This was a
surprise to us and to the code.

libcurl-using applications that allow LDAP URLs, or that allow redirects to
LDAP URLs could be made to crash by a malicious server.

We are not aware of any exploit of this flaw.

INFO
----

The bug is only present in curl versions built to use OpenLDAP.

This bug was introduced in May 2010 in [this
commit](https://github.com/curl/curl/commit/2e056353b00d09).

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2018-1000121 to this issue.

CWE-476: NULL Pointer Dereference

AFFECTED VERSIONS
-----------------

- Affected versions: curl 7.21.0 to and including curl 7.58.0
- Not affected versions: curl < 7.21.0 and curl >= 7.59.0

libcurl is used by many applications, but not always advertised as such.

THE SOLUTION
------------

In curl version 7.59.0, curl checks the pointer properly before using it.

A [patch for CVE-2018-1000121](https://curl.haxx.se/CVE-2018-1000121.patch) is available.

RECOMMENDATIONS
---------------

We suggest you take one of the following actions immediately, in order of
preference:

  A - Upgrade curl to version 7.59.0

  B - Apply the patch to your version and rebuild

  C - Make sure you disable LDAP in your transfers

TIME LINE
---------

It was reported to the curl project on March 6, 2018

We contacted distros@openwall on March 7, 2018.

curl 7.59.0 was released on March 14 2018, coordinated with the publication of
this advisory.

CREDITS
-------

Reported by Dario Weisser. Patch by Daniel Stenberg.

Thanks a lot!

-- 

  / daniel.haxx.se
Comment 1 Johannes Segitz 2018-03-14 07:39:11 UTC
dup of 1084524

*** This bug has been marked as a duplicate of bug 1084524 ***