[security-announce] Security Update: cURL fix for CVE-2018-1000005

Sona Sarmadi sona.sarmadi at enea.com
Fri Mar 2 15:52:53 CET 2018


		Enea Linux Security Advisory

====================================================================
Product/package: Enea Linux 7.0: (curl 7.53.1)
Severity: Medium
Architecture: all
CVE Name: CVE-2018-1000005
====================================================================

This security update fixes HTTP/2 trailer out-of-bounds read vulnerability 
in cURL version 7.53.1.

Description
============
libcurl 7.49.0 to and including 7.57.0 contains an out bounds read in
code handling HTTP/2 trailers. It was reported (https://github.com/
curl/curl/pull/2231) that reading an HTTP/2 trailer could mess up future
trailers since the stored size was one byte less than required. The
problem is that the code that creates HTTP/1-like headers from the
HTTP/2 trailer data once appended a string like `:` to the target
buffer, while this was recently changed to `: ` (a space was added after
the colon) but the following math wasn't updated correspondingly. When
accessed, the data is read out of bounds and causes either a crash or
that the (too large) data gets passed to client write. This could lead
to a denial-of-service situation or an information disclosure if someone
has a service that echoes back or uses the trailers for something.
References ========== https://curl.haxx.se/docs/adv_2018-824a.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000005 - If you have already cloned needed repositories, update it to get new
security patches.

cd Enea-Linux-7.0
$ repo sync

- If you have not yet cloned needed repositories, do it as described
below. (Security patches are fetched implicitly when cloning the repos).

Use repo tool to download the source for the Enea Linux 7.0 standard,
follow the steps below:
1. Make sure that the repo tool is installed. If not, follow the
instructions below:

$ curl https://storage.googleapis.com/git-repo-downloads/repo >
~/bin/repo $ chmod a+x ~/bin/repo

The instruction assumes that ~/bin exists and is included in the PATH
variable.

2.Use the repo tool to download the source:
$ mkdir Enea-Linux-7.0
$ cd Enea-Linux-7.0
$ repo init \
-u git://git.enea.com/linux/el_manifests-standard.git -b pyro -m
<manifest file> 
$ repo sync

The parameter <manifest file> depends on the target:
RaspberryPi: raspberripi3-64/defult.xml

If you have any questions regarding the security patches and security
updates please contact security at enea.com.

For gerneral security refer to Enea Linux Security page:
http://www.enea.com/solutions/Enea-Linux/Security/

For the CVEs fixed at Enea Linux releases see CVE list:
http://www.enea.com/solutions/Enea-Linux/Security/CVEs-list/

For custom packages/releases please use the Support Channel:
http://www.enea.com/solutions/support.

Enea Security Team
Sona Sarmadi
Mobile: +46 70 971 4475
www.enea.com








-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://mail.lists.enea.com/pipermail/security-announce/attachments/20180302/9f82cc1c/attachment.sig>


More information about the security-announce mailing list