CVE-2018-1000005

libcurl 7.49.0 to and including 7.57.0 contains an out bounds read in code handling HTTP/2 trailers. It was reported (https://github.com/curl/curl/pull/2231) that reading an HTTP/2 trailer could mess up future trailers since the stored size was one byte less than required. The problem is that the code that creates HTTP/1-like headers from the HTTP/2 trailer data once appended a string like `:` to the target buffer, while this was recently changed to `: ` (a space was added after the colon) but the following math wasn't updated correspondingly. When accessed, the data is read out of bounds and causes either a crash or that the (too large) data gets passed to client write. This could lead to a denial-of-service situation or an information disclosure if someone has a service that echoes back or uses the trailers for something.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.1 CRITICAL
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 58%
Affected Products (NVD)
VendorProductVersion
haxxlibcurl
7.49.0 ≤
𝑥
≤ 7.57.0
debiandebian_linux
8.0
debiandebian_linux
9.0
canonicalubuntu_linux
14.04
canonicalubuntu_linux
16.04
canonicalubuntu_linux
17.10
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
curl
bookworm
7.88.1-10+deb12u7
fixed
bookworm (security)
7.88.1-10+deb12u5
fixed
bullseye
7.74.0-1.3+deb11u13
fixed
bullseye (security)
7.74.0-1.3+deb11u11
fixed
jessie
not-affected
sid
8.10.1-2
fixed
trixie
8.10.1-2
fixed
wheezy
not-affected
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
curl
artful
Fixed 7.55.1-1ubuntu2.3
released
trusty
not-affected
xenial
Fixed 7.47.0-1ubuntu2.6
released
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
curl
suse enterprise desktop 15
7.60.0-1.1
fixed
suse enterprise desktop 15 SP1
7.60.0-3.17.1
fixed
suse enterprise desktop 15 SP2
7.66.0-2.59
fixed
suse enterprise desktop 15 SP3
7.66.0-4.14.1
fixed
suse enterprise desktop 15 SP4
7.79.1-150400.3.1
fixed
suse enterprise desktop 15 SP5
8.0.1-150400.5.23.1
fixed
suse enterprise desktop 15 SP6
8.6.0-150600.2.2
fixed
suse enterprise desktop 15 SP7
8.6.0-150600.4.21.1
fixed
suse enterprise sap 12 SP5
7.60.0-9.8
fixed
suse enterprise sap 15
7.60.0-1.1
fixed
suse enterprise sap 15 SP1
7.60.0-3.17.1
fixed
suse enterprise sap 15 SP2
7.66.0-2.59
fixed
suse enterprise sap 15 SP3
7.66.0-4.14.1
fixed
suse enterprise sap 15 SP4
7.79.1-150400.3.1
fixed
suse enterprise sap 15 SP5
8.0.1-150400.5.23.1
fixed
suse enterprise sap 15 SP6
8.6.0-150600.2.2
fixed
suse enterprise sap 15 SP7
8.6.0-150600.4.21.1
fixed
suse enterprise server 12 SP5
7.60.0-9.8
fixed
suse enterprise server 15
7.60.0-1.1
fixed
suse enterprise server 15 SP1
7.60.0-3.17.1
fixed
suse enterprise server 15 SP2
7.66.0-2.59
fixed
suse enterprise server 15 SP3
7.66.0-4.14.1
fixed
suse enterprise server 15 SP4
7.79.1-150400.3.1
fixed
suse enterprise server 15 SP5
8.0.1-150400.5.23.1
fixed
suse enterprise server 15 SP6
8.6.0-150600.2.2
fixed
suse enterprise server 15 SP7
8.6.0-150600.4.21.1
fixed
libcurl-devel
suse enterprise desktop 15
7.60.0-1.1
fixed
suse enterprise desktop 15 SP1
7.60.0-3.17.1
fixed
suse enterprise desktop 15 SP2
7.66.0-2.59
fixed
suse enterprise desktop 15 SP3
7.66.0-4.14.1
fixed
suse enterprise desktop 15 SP4
7.79.1-150400.3.1
fixed
suse enterprise desktop 15 SP5
8.0.1-150400.5.23.1
fixed
suse enterprise desktop 15 SP6
8.6.0-150600.2.2
fixed
suse enterprise desktop 15 SP7
8.6.0-150600.4.21.1
fixed
suse enterprise sap 15
7.60.0-1.1
fixed
suse enterprise sap 15 SP1
7.60.0-3.17.1
fixed
suse enterprise sap 15 SP2
7.66.0-2.59
fixed
suse enterprise sap 15 SP3
7.66.0-4.14.1
fixed
suse enterprise sap 15 SP4
7.79.1-150400.3.1
fixed
suse enterprise sap 15 SP5
8.0.1-150400.5.23.1
fixed
suse enterprise sap 15 SP6
8.6.0-150600.2.2
fixed
suse enterprise sap 15 SP7
8.6.0-150600.4.21.1
fixed
suse enterprise server 15
7.60.0-1.1
fixed
suse enterprise server 15 SP1
7.60.0-3.17.1
fixed
suse enterprise server 15 SP2
7.66.0-2.59
fixed
suse enterprise server 15 SP3
7.66.0-4.14.1
fixed
suse enterprise server 15 SP4
7.79.1-150400.3.1
fixed
suse enterprise server 15 SP5
8.0.1-150400.5.23.1
fixed
suse enterprise server 15 SP6
8.6.0-150600.2.2
fixed
suse enterprise server 15 SP7
8.6.0-150600.4.21.1
fixed
libcurl4
suse enterprise desktop 15
7.60.0-1.1
fixed
suse enterprise desktop 15 SP1
7.60.0-3.17.1
fixed
suse enterprise desktop 15 SP2
7.66.0-2.59
fixed
suse enterprise desktop 15 SP3
7.66.0-4.14.1
fixed
suse enterprise desktop 15 SP4
7.79.1-150400.3.1
fixed
suse enterprise desktop 15 SP5
8.0.1-150400.5.23.1
fixed
suse enterprise desktop 15 SP6
8.6.0-150600.2.2
fixed
suse enterprise desktop 15 SP7
8.6.0-150600.4.21.1
fixed
suse enterprise sap 12 SP5
7.60.0-9.8
fixed
suse enterprise sap 15
7.60.0-1.1
fixed
suse enterprise sap 15 SP1
7.60.0-3.17.1
fixed
suse enterprise sap 15 SP2
7.66.0-2.59
fixed
suse enterprise sap 15 SP3
7.66.0-4.14.1
fixed
suse enterprise sap 15 SP4
7.79.1-150400.3.1
fixed
suse enterprise sap 15 SP5
8.0.1-150400.5.23.1
fixed
suse enterprise sap 15 SP6
8.6.0-150600.2.2
fixed
suse enterprise sap 15 SP7
8.6.0-150600.4.21.1
fixed
suse enterprise server 12 SP5
7.60.0-9.8
fixed
suse enterprise server 15
7.60.0-1.1
fixed
suse enterprise server 15 SP1
7.60.0-3.17.1
fixed
suse enterprise server 15 SP2
7.66.0-2.59
fixed
suse enterprise server 15 SP3
7.66.0-4.14.1
fixed
suse enterprise server 15 SP4
7.79.1-150400.3.1
fixed
suse enterprise server 15 SP5
8.0.1-150400.5.23.1
fixed
suse enterprise server 15 SP6
8.6.0-150600.2.2
fixed
suse enterprise server 15 SP7
8.6.0-150600.4.21.1
fixed
libcurl4-32bit
suse enterprise desktop 15
7.60.0-1.1
fixed
suse enterprise desktop 15 SP1
7.60.0-3.17.1
fixed
suse enterprise desktop 15 SP2
7.66.0-2.59
fixed
suse enterprise desktop 15 SP3
7.66.0-4.14.1
fixed
suse enterprise desktop 15 SP4
7.79.1-150400.3.1
fixed
suse enterprise desktop 15 SP5
8.0.1-150400.5.23.1
fixed
suse enterprise desktop 15 SP6
8.6.0-150600.2.2
fixed
suse enterprise desktop 15 SP7
8.6.0-150600.4.21.1
fixed
suse enterprise sap 12 SP5
7.60.0-9.8
fixed
suse enterprise sap 15
7.60.0-1.1
fixed
suse enterprise sap 15 SP1
7.60.0-3.17.1
fixed
suse enterprise sap 15 SP2
7.66.0-2.59
fixed
suse enterprise sap 15 SP3
7.66.0-4.14.1
fixed
suse enterprise sap 15 SP4
7.79.1-150400.3.1
fixed
suse enterprise sap 15 SP5
8.0.1-150400.5.23.1
fixed
suse enterprise sap 15 SP6
8.6.0-150600.2.2
fixed
suse enterprise sap 15 SP7
8.6.0-150600.4.21.1
fixed
suse enterprise server 12 SP5
7.60.0-9.8
fixed
suse enterprise server 15
7.60.0-1.1
fixed
suse enterprise server 15 SP1
7.60.0-3.17.1
fixed
suse enterprise server 15 SP2
7.66.0-2.59
fixed
suse enterprise server 15 SP3
7.66.0-4.14.1
fixed
suse enterprise server 15 SP4
7.79.1-150400.3.1
fixed
suse enterprise server 15 SP5
8.0.1-150400.5.23.1
fixed
suse enterprise server 15 SP6
8.6.0-150600.2.2
fixed
suse enterprise server 15 SP7
8.6.0-150600.4.21.1
fixed
Common Weakness Enumeration
References
http://www.securitytracker.com/id/1040273
https://access.redhat.com/errata/RHSA-2019:1543
https://curl.haxx.se/docs/adv_2018-824a.html
https://github.com/curl/curl/pull/2231
https://usn.ubuntu.com/3554-1/
https://www.debian.org/security/2018/dsa-4098
http://www.securitytracker.com/id/1040273
https://access.redhat.com/errata/RHSA-2019:1543
https://curl.haxx.se/docs/adv_2018-824a.html
https://github.com/curl/curl/pull/2231
https://usn.ubuntu.com/3554-1/
https://www.debian.org/security/2018/dsa-4098