Document curl vulnerability

1 files changed, 70 insertions, 0 deletions

diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml
index 486f9c4c7e6a..546a6d235f7b 100644
--- a/security/vuxml/vuln.xml
+++ b/security/vuxml/vuln.xml
@@ -58,6 +58,76 @@ Notes:
   * Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="e0ab1773-07c1-46c6-9170-4c5e81c00927">
+    <topic>curl -- multiple vulnerabilities</topic>
+    <affects>
+      <package>
+	<name>curl</name>
+	<range><ge>7.14.1</ge><lt>7.60.0</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>curl security problems:</p>
+	<blockquote cite="https://curl.haxx.se/docs/security.html">
+	  <p>CVE-2018-16839: SASL password overflow via integer overflow</p>
+	  <p>libcurl contains a buffer overrun in the SASL authentication code.</p>
+	  <p>The internal function Curl_auth_create_plain_message fails to
+	    correctly verify that the passed in lengths for name and password
+	    aren't too long, then calculates a buffer size to allocate.</p>
+	  <p>On systems with a 32 bit size_t, the math to calculate the buffer size
+	    triggers an integer overflow when the user name length exceeds 2GB
+	    (2^31 bytes). This integer overflow usually causes a very small buffer
+	    to actually get allocated instead of the intended very huge one, making
+	    the use of that buffer end up in a heap buffer overflow.</p>
+	  <p>This bug is very similar to CVE-2017-14618.</p>
+	  <p>It affects curl 7.33.0 to 7.61.1.</p>
+	  <p>CVE-2018-16840: use-after-free in handle close</p>
+	  <p>libcurl contains a heap use-after-free flaw in code related to closing
+	    an easy handle.</p>
+	  <p>When closing and cleaning up an "easy" handle in the Curl_close()
+	    function, the library code first frees a struct (without nulling the
+	    pointer) and might then subsequently erroneously write to a struct
+	    field within that already freed struct.</p>
+	  <p>It affects curl 7.59.0 to 7.61.1.</p>
+	  <p>CVE-2018-16842: warning message out-of-buffer read</p>
+	  <p>curl contains a heap out of buffer read vulnerability.</p>
+	  <p>The command line tool has a generic function for displaying warning
+	    and informational messages to stderr for various situations. For
+	    example if an unknown command line argument is used, or passed to it in
+	    a "config" file.</p>
+	  <p>This display function formats the output to wrap at 80 columns. The
+	    wrap logic is however flawed, so if a single word in the message is
+	    itself longer than 80 bytes the buffer arithmetic calculates the
+	    remainder wrong and will end up reading behind the end of the buffer.
+	    This could lead to information disclosure or crash.</p>
+	  <p>This vulnerability could lead to a security issue if used in this or
+	    similar situations:</p>
+	  <p>1. a server somewhere uses the curl command line to run something</p>
+	  <p>2. if it fails, it shows stderr to the user</p>
+	  <p>3. the server takes user input for parts of its command line input</p>
+	  <p>4. user provides something overly long that triggers this crash</p>
+	  <p>5. the stderr output may now contain user memory contents that wasn't
+	    meant to be available</p>
+	  <p>It affects curl 7.14.1 to 7.61.1.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <url>https://curl.haxx.se/docs/security.html</url>
+      <url>https://curl.haxx.se/docs/CVE-2018-16839.html</url>
+      <url>https://curl.haxx.se/docs/CVE-2018-16840.html</url>
+      <url>https://curl.haxx.se/docs/CVE-2018-16842.html</url>
+      <cvename>CVE-2018-16839</cvename>
+      <cvename>CVE-2018-16840</cvename>
+      <cvename>CVE-2018-16842</cvename>
+    </references>
+    <dates>
+      <discovery>2018-10-31</discovery>
+      <entry>2018-11-01</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="b51d9e83-de08-11e8-9416-001b217b3468">
     <topic>Gitlab -- SSRF in Kubernetes integration</topic>
     <affects>