Bug 1517691 (CVE-2017-8818)

Summary: CVE-2017-8818 curl: Out-of-bound access in SSL related cleanup code
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: erik-fedora, hhorak, java-maint, john.j5live, jorton, kdudka, mike, omajid, paul, security-response-team, sisharma
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: curl 7.57.0 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-12-12 06:49:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1515763    

Description Andrej Nemec 2017-11-27 08:57:56 UTC 
When allocating memory for a connection (the internal struct called
`connectdata`), a certain amount of extra memory is allocate at the end of the
struct to be used for SSL related structs. Those structs are used by the
particular SSL library libcurl is built to use and in this case the
application can also tell libcurl which SSL library to use if it was built to
support more than one.

The math used for the extra memory was wrong on 32 bit systems, which made the
allocated memory too small. The last struct setup that is used by the SSL
library could then access memory outside of the allocated block. It could lead
to a crash or to other undefined behaviors depending on what memory that is
present there and how the particular SSL library decides to act on that memory
content.

External References:

https://curl.haxx.se/docs/adv_2017-af0a.html

Introduced in commit:

https://github.com/curl/curl/commit/70f1db321a

Upstream issue:

https://github.com/curl/curl/issues/2093

Upstream patch:

https://github.com/curl/curl/commit/9b5e12a5491d2e6b68e0c88ca56f3a9ef9fba400
Comment 1 Andrej Nemec 2017-11-27 08:57:59 UTC 
Acknowledgments:

Name: the Curl project
Upstream: John Schoenick
Comment 2 Andrej Nemec 2017-11-27 09:00:20 UTC 
AFFECTED VERSIONS
-----------------

This is only an issue on systems with 32 bit pointers.

- Affected versions: libcurl 7.56.0 to and including 7.56.1
- Not affected versions: libcurl < 7.56.0 and >= 7.57.0