Bug 1644124 (CVE-2018-16842)

Summary: CVE-2018-16842 curl: Heap-based buffer over-read in the curl tool warning formatting
Product: [Other] Security Response Reporter: Sam Fowler <sfowler>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: abhgupta, bodavis, csutherl, dbaker, dbhole, erik-fedora, gzaronik, hhorak, jclere, john.j5live, jokerman, jorton, kanderso, kdudka, lgao, luhliari, mbabacek, mike, mturk, myarboro, omajid, paul, rwagner, security-response-team, sthangav, trankin, twalsh, weli, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=low,public=20181031,reported=20181028,source=distros,cvss3=3.6/CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:L,cwe=CWE-125,fedora-all/curl=affected,epel-7/mingw-curl=affected,rhel-8/curl=notaffected,rhel-7/curl=affected,rhel-6/curl=wontfix,rhel-5/curl=wontfix,openshift-online-3/curl=defer,rhscl-3/httpd24-curl=affected,jws-5/curl=notaffected,jbcs-1/curl=affected,dotnet-1.0/rh-dotnetcore10-curl=affected,dotnet-1.1/rh-dotnetcore11-curl=affected,dotnet-2.1/rh-dotnet21-curl=affected
Fixed In Version: curl 7.62.0 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-06 13:20:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 1644559, 1649810, 1644558, 1644560, 1649809    
Bug Blocks: 1644126    

Description Sam Fowler 2018-10-30 05:12:16 UTC
Curl versions 7.14.1 through 7.61.1 are vulnerable to a heap-based buffer over-read in the  tool_msgs.c:voutf() function.

This display function formats the output to wrap at 80 columns. The wrap logic is however flawed, so if a single word in the message is itself longer than 80 bytes the buffer arithmetic calculates the remainder wrong and will end up reading behind the end of the buffer. This could lead to information disclosure or crash.

Comment 1 Sam Fowler 2018-10-30 05:19:04 UTC
Acknowledgments:

Name: the Curl project
Upstream: Brian Carpenter (Geeknik Labs)

Comment 3 Sam Fowler 2018-10-31 07:04:35 UTC
Created curl tracking bugs for this issue:

Affects: fedora-all [bug 1644558]


Created mingw-curl tracking bugs for this issue:

Affects: epel-7 [bug 1644559]

Comment 5 Tomas Hoger 2018-11-14 13:42:59 UTC
It should be noted that this issue only affects the curl command line tool, it does not affect the libcurl library.  The flaw is in the function that formats curl's warning and notice messages.  Messages are wrapped to 80 characters per line and hence long messages are split across multiple lines.  Those messages are used to print information about invalid or malformed options specified for the tool, hence they only contain trusted input in most use case and no trust boundary is crossed when invalid option is specified.  There does not seem to be any use of the warning function for printing any data from the remote servers.

The impact of the problem varies depending on the curl version.  In the current curl versions, the vulnerable code can be found in the voutf() function, and the function does not enforce any limit on the message length.  This is important, as the calculation goes off by one for every output line printed (if the line only contains text that was split in the middle of the word rather than at white space).

In curl versions prior to 7.58.0, the message is first printed into a 256 bytes long stack-based buffer.  This limits the number of times a long word can be wrapped to 3, and that also limits the size of the overflow.

https://github.com/curl/curl/commit/5d0ba70e17bde74d9a9108c38558f6491d2b5c4d
https://github.com/curl/curl/issues/2174

In curl versions prior to 7.45.0, the vulnerable code can be found in the warnf() functions.  In the commit linked below, the code was moved to voutf(), and warnf() was modified to call voutf().  The new function notef() was added as another caller of voutf().

https://github.com/curl/curl/commit/481e0de00a9003b9c5220b120e3fc302d9b0932d

This is the version of the code as used in the curl packages in Red Hat Enterprise Linux 7 and 6.

In curl versions prior to 1.16.3, there is a bug in the wrapping code that causes curl to print long words in a way that only one character is printed on each line.  This increases the size of the over-read.

https://github.com/curl/curl/commit/70b1900dd13d16f2e83f571407a614541d5ac9ba
https://sourceforge.net/p/curl/bugs/652/

This is the version of the code as used in the curl packages in Red Hat Enterprise Linux 5.

Comment 9 errata-xmlrpc 2019-08-06 12:25:01 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2181 https://access.redhat.com/errata/RHSA-2019:2181

Comment 10 Product Security DevOps Team 2019-08-06 13:20:30 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2018-16842