oss-sec mailing list archives
[SECURITY ADVISORY] curl: LDAP NULL pointer dereference
From: Daniel Stenberg <daniel () haxx se>
Date: Wed, 14 Mar 2018 07:55:08 +0100 (CET)
LDAP NULL pointer dereference ============================= Project curl Security Advisory, March 14th 2018 - [Permalink](https://curl.haxx.se/docs/adv_2018-97a2.html) VULNERABILITY ------------- curl might dereference a near-NULL address when getting an LDAP URL. The function `ldap_get_attribute_ber()` is called to get attributes, but it turns out that it can return `LDAP_SUCCESS` and still return a `NULL` pointer in the result pointer when getting a particularly crafted response. This was a surprise to us and to the code. libcurl-using applications that allow LDAP URLs, or that allow redirects to LDAP URLs could be made to crash by a malicious server. We are not aware of any exploit of this flaw. INFO ---- The bug is only present in curl versions built to use OpenLDAP. This bug was introduced in May 2010 in [this commit](https://github.com/curl/curl/commit/2e056353b00d09). The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2018-1000121 to this issue. CWE-476: NULL Pointer Dereference AFFECTED VERSIONS ----------------- - Affected versions: curl 7.21.0 to and including curl 7.58.0 - Not affected versions: curl < 7.21.0 and curl >= 7.59.0 libcurl is used by many applications, but not always advertised as such. THE SOLUTION ------------ In curl version 7.59.0, curl checks the pointer properly before using it. A [patch for CVE-2018-1000121](https://curl.haxx.se/CVE-2018-1000121.patch) is available. RECOMMENDATIONS --------------- We suggest you take one of the following actions immediately, in order of preference: A - Upgrade curl to version 7.59.0 B - Apply the patch to your version and rebuild C - Make sure you disable LDAP in your transfers TIME LINE --------- It was reported to the curl project on March 6, 2018 We contacted distros@openwall on March 7, 2018. curl 7.59.0 was released on March 14 2018, coordinated with the publication of this advisory. CREDITS ------- Reported by Dario Weisser. Patch by Daniel Stenberg. Thanks a lot! -- / daniel.haxx.se
Current thread:
- [SECURITY ADVISORY] curl: LDAP NULL pointer dereference Daniel Stenberg (Mar 13)