Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1517691 - (CVE-2017-8818) CVE-2017-8818 curl: Out-of-bound access in SSL related cleanup code
CVE-2017-8818 curl: Out-of-bound access in SSL related cleanup code
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20171129,repor...
: Security
Depends On:
Blocks: 1515763
  Show dependency treegraph
 
Reported: 2017-11-27 03:57 EST by Andrej Nemec
Modified: 2018-01-11 07:52 EST (History)
11 users (show)

See Also:
Fixed In Version: curl 7.57.0
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-12-12 01:49:20 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Andrej Nemec 2017-11-27 03:57:56 EST 
When allocating memory for a connection (the internal struct called
`connectdata`), a certain amount of extra memory is allocate at the end of the
struct to be used for SSL related structs. Those structs are used by the
particular SSL library libcurl is built to use and in this case the
application can also tell libcurl which SSL library to use if it was built to
support more than one.

The math used for the extra memory was wrong on 32 bit systems, which made the
allocated memory too small. The last struct setup that is used by the SSL
library could then access memory outside of the allocated block. It could lead
to a crash or to other undefined behaviors depending on what memory that is
present there and how the particular SSL library decides to act on that memory
content.

External References:

https://curl.haxx.se/docs/adv_2017-af0a.html

Introduced in commit:

https://github.com/curl/curl/commit/70f1db321a

Upstream issue:

https://github.com/curl/curl/issues/2093

Upstream patch:

https://github.com/curl/curl/commit/9b5e12a5491d2e6b68e0c88ca56f3a9ef9fba400
Comment 1 Andrej Nemec 2017-11-27 03:57:59 EST 
Acknowledgments:

Name: the Curl project
Upstream: John Schoenick
Comment 2 Andrej Nemec 2017-11-27 04:00:20 EST 
AFFECTED VERSIONS
-----------------

This is only an issue on systems with 32 bit pointers.

- Affected versions: libcurl 7.56.0 to and including 7.56.1
- Not affected versions: libcurl < 7.56.0 and >= 7.57.0
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.