SB2018110517 - Heap-based buffer overflow in curl (Alpine package)
Published: November 5, 2018
Security Bulletin ID
SB2018110517
CSH Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Information disclosure
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Heap-based buffer overflow (CVE-ID: CVE-2018-16842)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to cause DoS condition on the target system.
The vulnerability exists due to heap-based buffer over-read in the tool_msgs.c:voutf() function. A remote unauthenticated attacker can specially crafted data, trigger memory corruption to read back out-of-buffer data and cause the service to crash.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=45a890319c9dae0764956a1cde0508ea76d5a6d4
- https://git.alpinelinux.org/aports/commit/?id=73c7cfb12e9bf26f050b7ad2b5975c7b8c737f76
- https://git.alpinelinux.org/aports/commit/?id=d84961d2c2bf448d72bbe0cbcc3d08d37bb88dab
- https://git.alpinelinux.org/aports/commit/?id=e18d21d9de556e0b240ee9927d91fce46d8e31ba
- https://git.alpinelinux.org/aports/commit/?id=8776c8cc044196f8f87d6fbc51e38dfa0f5aa438