oss-sec mailing list archives
[SECURITY ADVISORY] curl - use-after-free in handle close
From: Daniel Stenberg <daniel () haxx se>
Date: Wed, 31 Oct 2018 07:55:42 +0100 (CET)
use-after-free in handle close ============================== Project curl Security Advisory, October 31st 2018 - [Permalink](https://curl.haxx.se/docs/CVE-2018-16840.html) VULNERABILITY ------------- libcurl contains a heap use-after-free flaw in code related to closing an easy handle. When closing and cleaning up an "easy" handle in the `Curl_close()` function, the library code first frees a struct (without nulling the pointer) and might then subsequently erroneously write to a struct field within that already freed struct. We are not aware of any exploit of this flaw. INFO ---- This bug was introduced in [commit b46cfbc068](https://github.com/curl/curl/commit/b46cfbc068), February 2018. The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2018-16840 to this issue. CWE-416: Use After Free Severity: 2.3 (Low) AFFECTED VERSIONS ----------------- - Affected versions: libcurl 7.59.0 to and including 7.61.1 - Not affected versions: libcurl < 7.59.0 and >= 7.62.0 curl is used by many applications, but not always advertised as such. THE SOLUTION ------------ A [patch for CVE-2018-16840](https://github.com/curl/curl/commit/81d135d67155c5295b1033679c606165d4e28f3f) is available. RECOMMENDATIONS --------------- We suggest you take one of the following actions immediately, in order of preference: A - Upgrade curl to version 7.62.0 B - Apply the patch to your version and rebuild TIME LINE --------- It was reported to the curl project on October 14, 2018. We contacted distros@openwall on October 22. curl 7.62.0 was released on October 31 2018, coordinated with the publication of this advisory. CREDITS ------- Reported by Brian Carpenter, Geeknik Labs. Patch by Daniel Stenberg. Thanks a lot! -- / daniel.haxx.se
Current thread:
- [SECURITY ADVISORY] curl - use-after-free in handle close Daniel Stenberg (Oct 30)