CVE-2018-1000301
First published: Mon May 07 2018(Updated: )
curl can be tricked into reading data beyond the end of a heap based buffer used to store downloaded content. When servers send RTSP responses back to curl, the data starts out with a set of headers. curl parses that data to separate it into a number of headers to deal with those appropriately and to find the end of the headers that signal the start of the "body" part. The function that splits up the response into headers is called `Curl_http_readwrite_headers()` and in situations where it can't find a single header in the buffer, it might end up leaving a pointer pointing into the buffer instead of to the start of the buffer which then later on may lead to an out of buffer read when code assumes that pointer points to a full buffer size worth of memory to use. This could potentially lead to information leakage but most likely a crash/denial of service for applications if a server triggers this flaw. Introduced by following patches: <a href="https://github.com/curl/curl/commit/b2ef79ef3d47b37">https://github.com/curl/curl/commit/b2ef79ef3d47b37</a> <a href="https://github.com/curl/curl/commit/bc4582b68a673d3">https://github.com/curl/curl/commit/bc4582b68a673d3</a> Affected versions: curl 7.20.0 to and including curl 7.59.0 Not affected versions: curl < 7.20.0 and curl >= 7.60.0
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/curl | <=7.38.0-1<=7.26.0-1+wheezy13 | 7.60.0-1 |
| Debian Debian Linux | =7.0 | |
| Debian Debian Linux | =8.0 | |
| Debian Debian Linux | =9.0 | |
| Canonical Ubuntu Linux | =12.04 | |
| Canonical Ubuntu Linux | =14.04 | |
| Canonical Ubuntu Linux | =16.04 | |
| Canonical Ubuntu Linux | =17.10 | |
| Canonical Ubuntu Linux | =18.04 | |
| Haxx Curl | >=7.20.0<=7.59.0 | |
| Redhat Enterprise Linux Desktop | =7.0 | |
| Redhat Enterprise Linux Server | =7.0 | |
| Redhat Enterprise Linux Workstation | =7.0 | |
| Oracle Communications WebRTC Session Controller | <7.2 | |
| Oracle Enterprise Manager Ops Center | =12.2.2 | |
| Oracle Enterprise Manager Ops Center | =12.3.3 | |
| Oracle PeopleSoft Enterprise PeopleTools | =8.55 | |
| Oracle PeopleSoft Enterprise PeopleTools | =8.56 | |
| Oracle PeopleSoft Enterprise PeopleTools | =8.57 | |
| redhat/curl | <7.60.0 | 7.60.0 |
| debian/curl | 7.74.0-1.3+deb11u13 7.74.0-1.3+deb11u14 7.88.1-10+deb12u8 7.88.1-10+deb12u5 8.11.0-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://curl.haxx.se/docs/adv_2018-b138.html
- https://security-tracker.debian.org/tracker/CVE-2018-1000301
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000301
- https://security-tracker.debian.org/tracker/CVE-2018-1000120
- https://curl.haxx.se/docs/adv_2018-9cd6.html
- https://security-tracker.debian.org/tracker/CVE-2018-1000121
- https://curl.haxx.se/docs/adv_2018-97a2.html
- https://security-tracker.debian.org/tracker/CVE-2018-1000122
- https://curl.haxx.se/docs/adv_2018-b047.html
- https://security-tracker.debian.org/tracker/CVE-2018-1000300
- https://curl.haxx.se/docs/adv_2018-82c2.html
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=898856
- http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
- http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
- http://www.securityfocus.com/bid/104225
- http://www.securitytracker.com/id/1040931
- https://access.redhat.com/errata/RHBA-2019:0327
- https://access.redhat.com/errata/RHSA-2018:3157
- https://access.redhat.com/errata/RHSA-2018:3558
- https://access.redhat.com/errata/RHSA-2020:0544
- https://access.redhat.com/errata/RHSA-2020:0594
- https://lists.debian.org/debian-lts-announce/2018/05/msg00010.html
- https://security.gentoo.org/glsa/201806-05
- https://usn.ubuntu.com/3598-2/
- https://usn.ubuntu.com/3648-1/
- https://www.debian.org/security/2018/dsa-4202
- https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
- https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
- https://launchpad.net/bugs/cve/CVE-2018-1000301
- https://github.com/curl/curl/commit/b2ef79ef3d47b37
- https://github.com/curl/curl/commit/bc4582b68a673d3
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1432530&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1432530&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1578683
- https://bugzilla.redhat.com/show_bug.cgi?id=1575536
- https://nvd.nist.gov/vuln/detail/CVE-2018-1000301
- https://ubuntu.com/security/CVE-2018-1000301
Frequently Asked Questions
What is CVE-2018-1000301?
CVE-2018-1000301 is a vulnerability in curl version curl 7.20.0 to and including curl 7.59.0 that allows a buffer over-read leading to denial of service.
How severe is CVE-2018-1000301?
CVE-2018-1000301 has a severity rating of 9.1, which is classified as critical.
What is the recommended remedy for CVE-2018-1000301?
The recommended remedy for CVE-2018-1000301 is to update curl to version 7.60.0 or higher.
What software versions are affected by CVE-2018-1000301?
CWE-126: Buffer Over-read vulnerability affects curl versions 7.20.0 to 7.59.0.
Where can I find more information about CVE-2018-1000301?
You can find more information about CVE-2018-1000301 in the references: [link1] [link2] [link3].
- collector/debian-bugs
- alias/CVE-2018-1000301
- collector/nvd-index
- agent/type
- agent/remedy
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- agent/author
- agent/severity
- agent/weakness
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- collector/redhat-bugzilla
- source/Red Hat
- agent/description
- agent/references
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/tags
- agent/event
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- collector/usn-cve
- source/Ubuntu
- package-manager/debian
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/7.0
- version/debian debian linux/8.0
- version/debian debian linux/9.0
- vendor/canonical
- canonical/canonical ubuntu linux
- version/canonical ubuntu linux/12.04
- version/canonical ubuntu linux/14.04
- version/canonical ubuntu linux/16.04
- version/canonical ubuntu linux/17.10
- version/canonical ubuntu linux/18.04
- vendor/haxx
- canonical/haxx curl
- version/haxx curl/7.20.0
- version/haxx curl/7.59.0
- vendor/redhat
- canonical/redhat enterprise linux desktop
- version/redhat enterprise linux desktop/7.0
- canonical/redhat enterprise linux server
- version/redhat enterprise linux server/7.0
- canonical/redhat enterprise linux workstation
- version/redhat enterprise linux workstation/7.0
- vendor/oracle
- canonical/oracle communications webrtc session controller
- canonical/oracle enterprise manager ops center
- version/oracle enterprise manager ops center/12.2.2
- version/oracle enterprise manager ops center/12.3.3
- canonical/oracle peoplesoft enterprise peopletools
- version/oracle peoplesoft enterprise peopletools/8.55
- version/oracle peoplesoft enterprise peopletools/8.56
- version/oracle peoplesoft enterprise peopletools/8.57
- package-manager/redhat