Main Vulnerability Database SB2018020838

SB2018020838 - Out-of-bounds read in curl (Alpine package)

Published: February 8, 2018

Security Bulletin ID SB2018020838

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Out-of-bounds read (CVE-ID: CVE-2018-1000005)

The vulnerability allows a remote attacker to obtain potentially sensitive information or cause DoS condition on the target system.

The weakness exists due to insufficient validation of user-supplied input. A remote attacker can send a specially crafted HTTP/2 trailer to trigger an out-of-bounds memory read error and cause the application to crash or obtain potentially sensitive information from services that echo back or otherwise use the trailers.

Remediation

Install update from vendor's website.

References

https://git.alpinelinux.org/aports/commit/?id=6e70a2d69d0f187a8377382342251df152f07be5
https://git.alpinelinux.org/aports/commit/?id=c06e486361bfb260c36b661c47d03ff912df9539
https://git.alpinelinux.org/aports/commit/?id=c89963423f62b461c4ff91f4e1ccb9af756fe5d4