curl: CVE-2018-1000120 CVE-2018-1000121 CVE-2018-1000122

Debian Bug report logs - #893546
curl: CVE-2018-1000120 CVE-2018-1000121 CVE-2018-1000122

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: curl: CVE-2018-1000120 CVE-2018-1000121 CVE-2018-1000122

Date: Mon, 19 Mar 2018 21:06:35 +0100

Source: curl
Version: 7.38.0-4
Severity: serious
Tags: patch security upstream fixed-upstream
Justification: regression with respect to stable with security fixes
Control: fixed -1 7.38.0-4+deb8u10
Control: fixed -1 7.52.1-5+deb9u5

Hi,

the following vulnerabilities were published for curl.

CVE-2018-1000120[0]:
| A buffer overflow exists in curl 7.12.3 to and including curl 7.58.0
| in the FTP URL handling that allows an attacker to cause a denial of
| service or worse.

CVE-2018-1000121[1]:
| A NULL pointer dereference exists in curl 7.21.0 to and including curl
| 7.58.0 in the LDAP code that allows an attacker to cause a denial of
| service

CVE-2018-1000122[2]:
| A buffer over-read exists in curl 7.20.0 to and including curl 7.58.0
| in the RTSP+RTP handling code that allows an attacker to cause a
| denial of service or information leakage

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-1000120
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000120
[1] https://security-tracker.debian.org/tracker/CVE-2018-1000121
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000121
[2] https://security-tracker.debian.org/tracker/CVE-2018-1000122
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000122

Regards,
Salvatore

Message #14 received at 893546-close@bugs.debian.org (full text, mbox, reply):

From: Alessandro Ghedini <ghedo@debian.org>

To: 893546-close@bugs.debian.org

Subject: Bug#893546: fixed in curl 7.60.0-1

Date: Fri, 18 May 2018 19:49:25 +0000

Source: curl
Source-Version: 7.60.0-1

We believe that the bug you reported is fixed in the latest version of
curl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 893546@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Alessandro Ghedini <ghedo@debian.org> (supplier of updated curl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 18 May 2018 20:21:17 +0100
Source: curl
Binary: curl libcurl3 libcurl3-gnutls libcurl3-nss libcurl4-openssl-dev libcurl4-gnutls-dev libcurl4-nss-dev libcurl4-doc
Architecture: source
Version: 7.60.0-1
Distribution: unstable
Urgency: medium
Maintainer: Alessandro Ghedini <ghedo@debian.org>
Changed-By: Alessandro Ghedini <ghedo@debian.org>
Description:
 curl       - command line tool for transferring data with URL syntax
 libcurl3   - easy-to-use client-side URL transfer library (OpenSSL flavour)
 libcurl3-gnutls - easy-to-use client-side URL transfer library (GnuTLS flavour)
 libcurl3-nss - easy-to-use client-side URL transfer library (NSS flavour)
 libcurl4-doc - documentation for libcurl
 libcurl4-gnutls-dev - development files and documentation for libcurl (GnuTLS flavour)
 libcurl4-nss-dev - development files and documentation for libcurl (NSS flavour)
 libcurl4-openssl-dev - development files and documentation for libcurl (OpenSSL flavour)
Closes: 891997 893546 898856
Changes:
 curl (7.60.0-1) unstable; urgency=medium
 .
   * New upstream release (Closes: #891997, #893546, #898856)
     + Fix use of IPv6 literals with NO_PROXY
     + Fix NIL byte out of bounds write due to FTP path trickery
       as per CVE-2018-1000120
       https://curl.haxx.se/docs/adv_2018-9cd6.html
     + Fix LDAP NULL pointer dereference as per CVE-2018-1000121
       https://curl.haxx.se/docs/adv_2018-97a2.html
     + Fix RTSP RTP buffer over-read as per CVE-2018-1000122
       https://curl.haxx.se/docs/adv_2018-b047.html
     + Fix heap buffer overflow when closing down an FTP connection
       with very long server command replies as per CVE-2018-1000300
       https://curl.haxx.se/docs/adv_2018-82c2.html
     + Fix heap buffer over-read when parsing bad RTSP headers
       as per CVE-2018-1000301
       https://curl.haxx.se/docs/adv_2018-b138.html
   * Refresh patches
   * Bump Standards-Version to 4.1.4 (no changes needed)
Checksums-Sha1:
 17ea89ff570f6466eaab758c5571e9537e3edea2 2678 curl_7.60.0-1.dsc
 31c68f25832ee3af7480a48d1d5dffbe6771df17 3949173 curl_7.60.0.orig.tar.gz
 3bd916f98238507af55094a476f94d5f683ab1f5 28044 curl_7.60.0-1.debian.tar.xz
 d7baa16151de879cb30d649457d02eca0becb5b6 11037 curl_7.60.0-1_amd64.buildinfo
Checksums-Sha256:
 bc0ff8df97daaef91be8492f006705620edb8129a91cf96bd52b321edccbe4be 2678 curl_7.60.0-1.dsc
 e9c37986337743f37fd14fe8737f246e97aec94b39d1b71e8a5973f72a9fc4f5 3949173 curl_7.60.0.orig.tar.gz
 9df332182666f04e07a676059942c6c4f7c786be84d938bcaf13bdb4e03c9c15 28044 curl_7.60.0-1.debian.tar.xz
 f598785e350d65c5632040cf60711194f099e7cf0ecc11238f398ae14beefa54 11037 curl_7.60.0-1_amd64.buildinfo
Files:
 c96352a68653156f136dea88a708710f 2678 web optional curl_7.60.0-1.dsc
 48eb126345d3b0f0a71a486b7f5d0307 3949173 web optional curl_7.60.0.orig.tar.gz
 337a49ee94c699e5d1778bd00e234d70 28044 web optional curl_7.60.0-1.debian.tar.xz
 7bb524e3fc07fab2a8101e7798b96480 11037 web optional curl_7.60.0-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEBsId305pBx+F583DbwzL4CFiRygFAlr/KKYACgkQbwzL4CFi
Ryjl3Q//SkK5BErM205mP6pjsacLr1BUooqlNuS7il8blqpSztuxD7em1MkpWRhR
cC7kBVbFtaP8QJq9nK0UOHUdA5ctsQRw+X1m1v3RAYLWn+1BKtyiWUJFAl09ZSyd
c4PYpeZ5CVKEvzY3RjJyb67UR0zONpiZYfG9HPWIsPQzavPJz5kOjj6SdtpnrLGN
L8jp0exUwjmWg/JUaWKBbsa1ATM+nS7uW+sv4PewWNPniNuGQObNHGSeRvPvj/TW
UkZ4hZPDDjxztZJRO9XjMfHAq6hldb6tuckzWCEORC9+X17El1ezS0FEL71IkNmU
sddH5mj9WVxqV3VGMcW85A66SssJDWDaSCiK0CmDBsxH2T40MuoSiu9aIWHkTsNd
mM441gQ6vLVr7sOIcuUFqZPxYEsIM7PTiskk6xvqYPSVU0kP5aTPOwLf4Ktc46Dp
96/ZyRvv6tY1MV7nqm2cYx6+2pYrwjVyoWb0swCZ5weEthsOL1DM9mpQT2Sr95Ql
zxIKNZ7D5LPQE5s85lXuufTjlUxXnb3wIiQqNeSouqQQ33y/Vlp3/Fv+HJOj/lf7
T1riF9JAqd2BVWQs7uSaQv4fNArJ95oUDAZy54NFkRBiMRgh4raJw78noJctcK18
VH5xVzf9UepsEIS0C313u+fie0bFr02n6jz9tpVM+U61mCUrlv0=
=Ts3m
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.