Daniel Stenberg
2018-03-14 06:55:08 UTC
LDAP NULL pointer dereference
=============================
Project curl Security Advisory, March 14th 2018 -
[Permalink](https://curl.haxx.se/docs/adv_2018-97a2.html)
VULNERABILITY
-------------
curl might dereference a near-NULL address when getting an LDAP URL.
The function `ldap_get_attribute_ber()` is called to get attributes, but it
turns out that it can return `LDAP_SUCCESS` and still return a `NULL` pointer
in the result pointer when getting a particularly crafted response. This was a
surprise to us and to the code.
libcurl-using applications that allow LDAP URLs, or that allow redirects to
LDAP URLs could be made to crash by a malicious server.
We are not aware of any exploit of this flaw.
INFO
----
The bug is only present in curl versions built to use OpenLDAP.
This bug was introduced in May 2010 in [this
commit](https://github.com/curl/curl/commit/2e056353b00d09).
The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2018-1000121 to this issue.
CWE-476: NULL Pointer Dereference
AFFECTED VERSIONS
-----------------
- Affected versions: curl 7.21.0 to and including curl 7.58.0
- Not affected versions: curl < 7.21.0 and curl >= 7.59.0
libcurl is used by many applications, but not always advertised as such.
THE SOLUTION
------------
In curl version 7.59.0, curl checks the pointer properly before using it.
A [patch for CVE-2018-1000121](https://curl.haxx.se/CVE-2018-1000121.patch) is available.
RECOMMENDATIONS
---------------
We suggest you take one of the following actions immediately, in order of
preference:
A - Upgrade curl to version 7.59.0
B - Apply the patch to your version and rebuild
C - Make sure you disable LDAP in your transfers
TIME LINE
---------
It was reported to the curl project on March 6, 2018
We contacted ***@openwall on March 7, 2018.
curl 7.59.0 was released on March 14 2018, coordinated with the publication of
this advisory.
CREDITS
-------
Reported by Dario Weisser. Patch by Daniel Stenberg.
Thanks a lot!
=============================
Project curl Security Advisory, March 14th 2018 -
[Permalink](https://curl.haxx.se/docs/adv_2018-97a2.html)
VULNERABILITY
-------------
curl might dereference a near-NULL address when getting an LDAP URL.
The function `ldap_get_attribute_ber()` is called to get attributes, but it
turns out that it can return `LDAP_SUCCESS` and still return a `NULL` pointer
in the result pointer when getting a particularly crafted response. This was a
surprise to us and to the code.
libcurl-using applications that allow LDAP URLs, or that allow redirects to
LDAP URLs could be made to crash by a malicious server.
We are not aware of any exploit of this flaw.
INFO
----
The bug is only present in curl versions built to use OpenLDAP.
This bug was introduced in May 2010 in [this
commit](https://github.com/curl/curl/commit/2e056353b00d09).
The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2018-1000121 to this issue.
CWE-476: NULL Pointer Dereference
AFFECTED VERSIONS
-----------------
- Affected versions: curl 7.21.0 to and including curl 7.58.0
- Not affected versions: curl < 7.21.0 and curl >= 7.59.0
libcurl is used by many applications, but not always advertised as such.
THE SOLUTION
------------
In curl version 7.59.0, curl checks the pointer properly before using it.
A [patch for CVE-2018-1000121](https://curl.haxx.se/CVE-2018-1000121.patch) is available.
RECOMMENDATIONS
---------------
We suggest you take one of the following actions immediately, in order of
preference:
A - Upgrade curl to version 7.59.0
B - Apply the patch to your version and rebuild
C - Make sure you disable LDAP in your transfers
TIME LINE
---------
It was reported to the curl project on March 6, 2018
We contacted ***@openwall on March 7, 2018.
curl 7.59.0 was released on March 14 2018, coordinated with the publication of
this advisory.
CREDITS
-------
Reported by Dario Weisser. Patch by Daniel Stenberg.
Thanks a lot!
--
/ daniel.haxx.se
-----------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-users
Etiquette: https://curl.haxx.se/mail/etiquet
/ daniel.haxx.se
-----------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-users
Etiquette: https://curl.haxx.se/mail/etiquet