Bug 1517691 (CVE-2017-8818) - CVE-2017-8818 curl: Out-of-bound access in SSL related cleanup code
Summary: CVE-2017-8818 curl: Out-of-bound access in SSL related cleanup code
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2017-8818
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1515763
TreeView+ depends on / blocked
 
Reported: 2017-11-27 08:57 UTC by Andrej Nemec
Modified: 2019-09-29 14:26 UTC (History)
11 users (show)

Fixed In Version: curl 7.57.0
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-12-12 06:49:20 UTC


Attachments (Terms of Use)

Description Andrej Nemec 2017-11-27 08:57:56 UTC
When allocating memory for a connection (the internal struct called
`connectdata`), a certain amount of extra memory is allocate at the end of the
struct to be used for SSL related structs. Those structs are used by the
particular SSL library libcurl is built to use and in this case the
application can also tell libcurl which SSL library to use if it was built to
support more than one.

The math used for the extra memory was wrong on 32 bit systems, which made the
allocated memory too small. The last struct setup that is used by the SSL
library could then access memory outside of the allocated block. It could lead
to a crash or to other undefined behaviors depending on what memory that is
present there and how the particular SSL library decides to act on that memory
content.

External References:

https://curl.haxx.se/docs/adv_2017-af0a.html

Introduced in commit:

https://github.com/curl/curl/commit/70f1db321a

Upstream issue:

https://github.com/curl/curl/issues/2093

Upstream patch:

https://github.com/curl/curl/commit/9b5e12a5491d2e6b68e0c88ca56f3a9ef9fba400

Comment 1 Andrej Nemec 2017-11-27 08:57:59 UTC
Acknowledgments:

Name: the Curl project
Upstream: John Schoenick

Comment 2 Andrej Nemec 2017-11-27 09:00:20 UTC
AFFECTED VERSIONS
-----------------

This is only an issue on systems with 32 bit pointers.

- Affected versions: libcurl 7.56.0 to and including 7.56.1
- Not affected versions: libcurl < 7.56.0 and >= 7.57.0


Note You need to log in before you can comment on or make changes to this bug.