ESB-2018.1505 - [Debian] curl: Denial of service - Remote with user interaction 2018-05-17

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.1505
                      curl security update for Debian
                                17 May 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           curl
Publisher:         Debian
Operating System:  Debian GNU/Linux 9
                   Debian GNU/Linux 8
                   Debian GNU/Linux 7
Impact/Access:     Denial of Service        -- Remote with User Interaction
                   Access Confidential Data -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-1000301  

Reference:         ESB-2018.1504

Original Bulletin: 
   http://www.debian.org/security/2018/dsa-4202
   https://lists.debian.org/debian-lts-announce/2018/05/msg00010.html

Comment: This bulletin contains two (2) Debian security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4202-1                   security@debian.org
https://www.debian.org/security/                       Alessandro Ghedini
May 16, 2018                          https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : curl
CVE ID         : CVE-2018-1000301
Debian Bug     : 898856

OSS-fuzz, assisted by Max Dymond, discovered that cURL, an URL transfer
library, could be tricked into reading data beyond the end of a heap
based buffer when parsing invalid headers in an RTSP response.

For the oldstable distribution (jessie), this problem has been fixed
in version 7.38.0-4+deb8u11.

For the stable distribution (stretch), this problem has been fixed in
version 7.52.1-5+deb9u6.

We recommend that you upgrade your curl packages.

For the detailed security status of curl please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/curl

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEBsId305pBx+F583DbwzL4CFiRygFAlr8j3YACgkQbwzL4CFi
RyhteA/9FoQImj7+DkVy4UtikwozI3zWs4dHE9lg5/rpTWiiaRXGlabF+PdfbHCU
7skWn4vkSMBei4HK6YQrA072jTuseMpJT7jqj4gAlQfOvSbu1DiDuHqWa8CyitVY
Gq+WczMxOQZAphN0Stt2P0/hwNtV+pKhF6f6dDDxrFvVOjKueztveSWVWICUOoRg
PDqngVSnoR+z3JlWbcItfoeL/DD9ag8n5Andb7EWc/4a2aZQ/D+cXjXiYFbJD+Qx
3PVTEvCjKV1YzZVxYV50XSxCmw+JMOirEelVYwxr2irAJJxoBs8sq7LfQMwv+WQH
tdKuUuKb159t5hDXesJ8P6Frh8fmcfa/I9y+jWaWgPYav0IBjzvgOvmlyQxgOApc
aIX4Yu5NmGnYLeHVAu5bwtPpMNpYCDRBwWrekiR2DlzC7tlEvrN3KYAvnamlcaf5
KJpm7IdCsRkK3VTRmn0oHbni8xPMwDWsxFGYGD3CFCf4E5Pa7uudaQ+Qi7Ft63Og
zCTOd+nBscj1MINpYxMamuHG42JkdXA3hE9nqFYKf2wCs9gnXYBPKWPCrOUdKyBP
WzlS8I7j9rAXsae1FdcdlnhtRyQyrPXsAbMaKTqCsolmCRRxsEdZ36EBRT7r+0rp
BBZUwB8AbOCWUv6gN5hSLBRezWxe/Kt7MLrmxmMd2PIQHtqWGms=
=q+0I
- -----END PGP SIGNATURE-----

- --------------------------------------------------------------------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Package        : curl
Version        : 7.26.0-1+wheezy25+deb7u1
CVE ID         : CVE-2018-1000301
Debian Bug     : #898856

It was discovered that there was an issue in the curl a command-line tool
for downloading (eg.) data over HTTP.

curl could have be tricked into reading data beyond the end of a heap
based buffer used to store downloaded content.

For more information, please see upstream's advisory at:

  https://curl.haxx.se/docs/adv_2018-b138.html

For Debian 7 "Wheezy", this issue has been fixed in curl version
7.26.0-1+wheezy25+deb7u1.

We recommend that you upgrade your curl packages.


Regards,

- - -- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAlr8crsACgkQHpU+J9Qx
HlhKSg//d/ntJLcUprVeuGTnw5fTOGH8t2lSYoE/OH/uxi8u/KWt7DPPRraMA0ON
PxSN2tVoJfumIHJDxZKlHzCe4AtZVLrGXdABj3ARhNOIUAxv5EwS6v7kIkmkMXfq
Tsr8yTed//Oc7ZKsSbypMyH4hywrXOIvqVm50HvybRQe+f3vfWSVM8O1Jj5lpgjk
DeMiEf9O2mlDc43oFBQIanM5+QTv3LDx/KuL+M0RgHyDydOZDtqsrAO2eWeGq6FE
5jKaramWkslDWeU7JOxYt6/6yUo9b8BTuboc856h9R1/1PQLBMkfHM4Dlg3hQedF
OElZJ7napmfSXJgGM/n94SChrr1OW5LGsF3k99u/dN6txWF2gyhhkpGLU9Ef3bHn
CGC3xFXdEEN3jRlqjKNTVLO2CpXfdr6wxuzg40L41qufb102vAOvsSEW5joetG+w
bZxoTz3wRNyOAAAgfaZD0FHgn3erqTPFvyFK5SfRWa1mh20bZFSZOhCk14hARGJz
bFAgKD+NO+v7f37IGDRfw/WbyfwL2WtS9oUyioup5ty419QPBPFaZUjZY3LbOY7t
fngeTGlFbA2qgRWEZUgiZvupca4GdloV6l7Rmvt/D4Mwjas/uAxFrMBBUxdWvBQM
bbFT9ngVfxdqYwYHz0bNXUl1ptOLxgiF7vjEJemPzda48ifae/8=
=Dp/u
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWvzEQYx+lLeg9Ub1AQgrZRAAqHtji5zOxbJWDSNnNi0FIIxTVsldsVqs
7G/+/3x+e5lQQs4Bh1GPcI0KkJxIEhavq6CmFoYYCj+VuisApPpiV59rLeylW1bH
GW9jH0zKt43B6ppw4wiAbY5CGLgJVPARW5osNADv9AtacBhgfDuG8aFYnFBzeOZp
YYMOF+fk032Ea8tTKEfPNS0weAG87MXt0FiiuLsgQz/mREnZfUl6rcoY/OE/4pG9
kzqfrS2+otMGpd1nRH1rk4UOLgvttl6chG4gDR5WrG5s8tu6hmZjYBSoC1dIP+0v
cktDRskSL54mIBrZa5JGAwPwdd2gvXw15e5ItbJhe7EnZn8x88UxxOi7x7my+IJ3
621DHPUDj0vuDyPfJ2rkPZLPRf0gmeNT4TkxuWZqZq5zS+a944cCrTwxGeSdUdR2
8G+iKNxCy1G1yHIFUjI3T+vX/oDhmme2xuHfii1nJbJPxfDLe0jPONmL9t/OUyLc
qs+ofh2UwXPX5Fvd3kqXIT6hqvCasno0dvdLA3s0mC2xWVOARU+2nkNFoH6sog6M
zvvBxKKd9mmTVxYU9wOkkF81frBM6g76D7NiN3oFDFJnVwleTsb0Oeot2ygIfs/h
jy8rBQmBbHh4/rOq/7L2hvwADQ9s11jUMRQBwnW53x0q6keL+9E2g9UkKpt3kArN
G6E13gz96LY=
=TjMK
-----END PGP SIGNATURE-----

« Back to bulletins