SB2018110516 - Use-after-free error in curl (Alpine package)
Published: November 5, 2018
Security Bulletin ID
SB2018110516
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Denial of service
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Use-after-free error (CVE-ID: CVE-2018-16840)
The vulnerability allows a remote attacker to cause DoS condition on the target system.
The vulnerability exists due to use-after-free error in closing an easy handle in the 'Curl_close()' function. A remote unauthenticated attacker can specially crafted data, trigger memory corruption and cause the service to crash.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=9a196002b469339f47b2d93361aced8256aa4dce
- https://git.alpinelinux.org/aports/commit/?id=8cf4c8d1fc7898a590a8df46d139785baba40576
- https://git.alpinelinux.org/aports/commit/?id=45a890319c9dae0764956a1cde0508ea76d5a6d4
- https://git.alpinelinux.org/aports/commit/?id=73c7cfb12e9bf26f050b7ad2b5975c7b8c737f76
- https://git.alpinelinux.org/aports/commit/?id=d84961d2c2bf448d72bbe0cbcc3d08d37bb88dab
- https://git.alpinelinux.org/aports/commit/?id=e18d21d9de556e0b240ee9927d91fce46d8e31ba
- https://git.alpinelinux.org/aports/commit/?id=8776c8cc044196f8f87d6fbc51e38dfa0f5aa438