Discussion:
[SECURITY ADVISORY] curl: RTSP RTP buffer over-read
Daniel Stenberg
2018-03-14 06:55:11 UTC
Permalink
RTSP RTP buffer over-read
=========================

Project curl Security Advisory, March 14th 2018 -
[Permalink](https://curl.haxx.se/docs/adv_2018-b047.html)

VULNERABILITY
-------------

curl can be tricked into copying data beyond end of its heap based buffer.

When asked to transfer an RTSP URL, curl could calculate a wrong data length
to copy from the read buffer. The memcpy call would copy data from the heap
following the buffer to a storage area that would subsequently be delivered to
the application (if it didn't cause a crash). We've managed to get it to reach
several hundreds bytes out of range.

This could lead to information leakage or a denial of service for the
application if the server offering the RTSP data can trigger this.

We are not aware of any exploit of this flaw.

INFO
----

This bug was introduced in January 2010 in [this
commit](https://github.com/curl/curl/commit/bc4582b68a673d3) when RTSP support
was first added.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2018-1000122 to this issue.

CWE-126: Buffer Over-read

AFFECTED VERSIONS
-----------------

- Affected versions: curl 7.20.0 to and including curl 7.58.0
- Not affected versions: curl < 7.20.0 and curl >= 7.59.0

libcurl is used by many applications, but not always advertised as such.

THE SOLUTION
------------

In curl version 7.59.0, curl makes sure that this code never gets told to copy
more data than it is allowed to read from the buffer.

A [patch for CVE-2018-1000122](https://curl.haxx.se/CVE-2018-1000122.patch) is available.

RECOMMENDATIONS
---------------

We suggest you take one of the following actions immediately, in order of
preference:

A - Upgrade curl to version 7.59.0

B - Apply the patch to your version and rebuild

TIME LINE
---------

It was reported to the curl project on February 20, 2018

We contacted ***@openwall on March 8, 2018.

curl 7.59.0 was released on March 14 2018, coordinated with the publication of
this advisory.

CREDITS
-------

Detected by OSS-fuzz. Assisted by Max Dymond. Patch by Daniel Stenberg.

Thanks a lot!
--
/ daniel.haxx.se
-----------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-users
Etiquette: https://
Loading...