Daniel Stenberg
2018-03-14 06:55:11 UTC
RTSP RTP buffer over-read
=========================
Project curl Security Advisory, March 14th 2018 -
[Permalink](https://curl.haxx.se/docs/adv_2018-b047.html)
VULNERABILITY
-------------
curl can be tricked into copying data beyond end of its heap based buffer.
When asked to transfer an RTSP URL, curl could calculate a wrong data length
to copy from the read buffer. The memcpy call would copy data from the heap
following the buffer to a storage area that would subsequently be delivered to
the application (if it didn't cause a crash). We've managed to get it to reach
several hundreds bytes out of range.
This could lead to information leakage or a denial of service for the
application if the server offering the RTSP data can trigger this.
We are not aware of any exploit of this flaw.
INFO
----
This bug was introduced in January 2010 in [this
commit](https://github.com/curl/curl/commit/bc4582b68a673d3) when RTSP support
was first added.
The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2018-1000122 to this issue.
CWE-126: Buffer Over-read
AFFECTED VERSIONS
-----------------
- Affected versions: curl 7.20.0 to and including curl 7.58.0
- Not affected versions: curl < 7.20.0 and curl >= 7.59.0
libcurl is used by many applications, but not always advertised as such.
THE SOLUTION
------------
In curl version 7.59.0, curl makes sure that this code never gets told to copy
more data than it is allowed to read from the buffer.
A [patch for CVE-2018-1000122](https://curl.haxx.se/CVE-2018-1000122.patch) is available.
RECOMMENDATIONS
---------------
We suggest you take one of the following actions immediately, in order of
preference:
A - Upgrade curl to version 7.59.0
B - Apply the patch to your version and rebuild
TIME LINE
---------
It was reported to the curl project on February 20, 2018
We contacted ***@openwall on March 8, 2018.
curl 7.59.0 was released on March 14 2018, coordinated with the publication of
this advisory.
CREDITS
-------
Detected by OSS-fuzz. Assisted by Max Dymond. Patch by Daniel Stenberg.
Thanks a lot!
=========================
Project curl Security Advisory, March 14th 2018 -
[Permalink](https://curl.haxx.se/docs/adv_2018-b047.html)
VULNERABILITY
-------------
curl can be tricked into copying data beyond end of its heap based buffer.
When asked to transfer an RTSP URL, curl could calculate a wrong data length
to copy from the read buffer. The memcpy call would copy data from the heap
following the buffer to a storage area that would subsequently be delivered to
the application (if it didn't cause a crash). We've managed to get it to reach
several hundreds bytes out of range.
This could lead to information leakage or a denial of service for the
application if the server offering the RTSP data can trigger this.
We are not aware of any exploit of this flaw.
INFO
----
This bug was introduced in January 2010 in [this
commit](https://github.com/curl/curl/commit/bc4582b68a673d3) when RTSP support
was first added.
The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2018-1000122 to this issue.
CWE-126: Buffer Over-read
AFFECTED VERSIONS
-----------------
- Affected versions: curl 7.20.0 to and including curl 7.58.0
- Not affected versions: curl < 7.20.0 and curl >= 7.59.0
libcurl is used by many applications, but not always advertised as such.
THE SOLUTION
------------
In curl version 7.59.0, curl makes sure that this code never gets told to copy
more data than it is allowed to read from the buffer.
A [patch for CVE-2018-1000122](https://curl.haxx.se/CVE-2018-1000122.patch) is available.
RECOMMENDATIONS
---------------
We suggest you take one of the following actions immediately, in order of
preference:
A - Upgrade curl to version 7.59.0
B - Apply the patch to your version and rebuild
TIME LINE
---------
It was reported to the curl project on February 20, 2018
We contacted ***@openwall on March 8, 2018.
curl 7.59.0 was released on March 14 2018, coordinated with the publication of
this advisory.
CREDITS
-------
Detected by OSS-fuzz. Assisted by Max Dymond. Patch by Daniel Stenberg.
Thanks a lot!
--
/ daniel.haxx.se
-----------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-users
Etiquette: https://
/ daniel.haxx.se
-----------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-users
Etiquette: https://