CVE-2018-1000005

2018-01-2422:29:00

Alpine Linux Development Team

security.alpinelinux.org

6.4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:N/A:P

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

9.3 High

AI Score

Confidence

High

0.007 Low

EPSS

Percentile

79.6%

JSON

libcurl 7.49.0 to and including 7.57.0 contains an out bounds read in code handling HTTP/2 trailers. It was reported (https://github.com/curl/curl/pull/2231) that reading an HTTP/2 trailer could mess up future trailers since the stored size was one byte less than required. The problem is that the code that creates HTTP/1-like headers from the HTTP/2 trailer data once appended a string like : to the target buffer, while this was recently changed to : (a space was added after the colon) but the following math wasn’t updated correspondingly. When accessed, the data is read out of bounds and causes either a crash or that the (too large) data gets passed to client write. This could lead to a denial-of-service situation or an information disclosure if someone has a service that echoes back or uses the trailers for something.

OSVersionArchitecturePackageVersionFilename
Alpine3.4-mainnoarchcurl< 7.58.0-r0UNKNOWN
Alpine3.5-mainnoarchcurl< 7.58.0-r0UNKNOWN
Alpine3.6-mainnoarchcurl< 7.58.0-r0UNKNOWN
Alpine3.7-mainnoarchcurl< 7.58.0-r0UNKNOWN

OS	Version	Architecture	Package	Version	Filename
Alpine	3.4-main	noarch	curl	< 7.58.0-r0	UNKNOWN
Alpine	3.5-main	noarch	curl	< 7.58.0-r0	UNKNOWN
Alpine	3.6-main	noarch	curl	< 7.58.0-r0	UNKNOWN
Alpine	3.7-main	noarch	curl	< 7.58.0-r0	UNKNOWN