CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
87.5%
Severity: High
Date : 2018-11-06
CVE-ID : CVE-2018-16839 CVE-2018-16840
Package : lib32-libcurl-compat
Type : arbitrary code execution
Remote : Yes
Link : https://security.archlinux.org/AVG-797
The package lib32-libcurl-compat before version 7.62.0-1 is vulnerable
to arbitrary code execution.
Upgrade to 7.62.0-1.
The problems have been fixed upstream in version 7.62.0.
None.
The internal function Curl_auth_create_plain_message fails to correctly
verify that the passed in lengths for name and password aren’t too
long, then calculates a buffer size to allocate. On systems with a 32
bit size_t, the math to calculate the buffer size triggers an integer
overflow when the user name length exceeds 2GB (2^31 bytes). This
integer overflow usually causes a very small buffer to actually get
allocated instead of the intended very huge one, making the use of that
buffer end up in a heap buffer overflow.
A heap use-after-free flaw was found in curl versions from 7.59.0
through 7.61.1 in the code related to closing an easy handle. When
closing and cleaning up an ‘easy’ handle in the Curl_close()
function, the library code first frees a struct (without nulling the
pointer) and might then subsequently erroneously write to a struct
field within that already freed struct.
A malicious remote server might be able to execute arbitrary commands
by closing the connection from a client using easy handlers. A
malicious user could execute arbitrary code by passing a very long
username or password used for SASL authentication.
https://curl.haxx.se/docs/CVE-2018-16839.html
https://github.com/curl/curl/commit/f3a24d7916b9173c69a3e0ee790102993833d6c5
https://curl.haxx.se/docs/CVE-2018-16840.html
https://github.com/curl/curl/commit/81d135d67155c5295b1033679c606165d4e28f3f
https://security.archlinux.org/CVE-2018-16839
https://security.archlinux.org/CVE-2018-16840
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ArchLinux | any | any | lib32-libcurl-compat | < 7.62.0-1 | UNKNOWN |
curl.haxx.se/docs/CVE-2018-16839.html
curl.haxx.se/docs/CVE-2018-16840.html
github.com/curl/curl/commit/81d135d67155c5295b1033679c606165d4e28f3f
github.com/curl/curl/commit/f3a24d7916b9173c69a3e0ee790102993833d6c5
security.archlinux.org/AVG-797
security.archlinux.org/CVE-2018-16839
security.archlinux.org/CVE-2018-16840
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
87.5%