Document curl vulnerability

1 files changed, 58 insertions, 0 deletions

diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml
index 56afd4ab1836..6cfa612fec1b 100644
--- a/security/vuxml/vuln.xml
+++ b/security/vuxml/vuln.xml
@@ -58,6 +58,64 @@ Notes:
   * Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="04fe6c8d-2a34-4009-a81e-e7a7e759b5d2">
+    <topic>cURL -- multiple vulnerabilities</topic>
+    <affects>
+      <package>
+	<name>curl</name>
+	<range><lt>7.60.0</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>cURL security problems:</p>
+	<blockquote cite="https://curl.haxx.se/docs/security.html">
+	  <p>CVE-2018-1000300: FTP shutdown response buffer overflow</p>
+	  <p>curl might overflow a heap based memory buffer when closing down an
+	    FTP connection with very long server command replies.</p>
+	  <p>When doing FTP transfers, curl keeps a spare "closure handle" around
+	    internally that will be used when an FTP connection gets shut down
+	    since the original curl easy handle is then already removed.</p>
+	  <p>FTP server response data that gets cached from the original transfer
+	    might then be larger than the default buffer size (16 KB) allocated in
+	    the "closure handle", which can lead to a buffer overwrite. The
+	    contents and size of that overwrite is controllable by the server.</p>
+	  <p>This situation was detected by an assert() in the code, but that was
+	    of course only preventing bad stuff in debug builds. This bug is very
+	    unlikely to trigger with non-malicious servers.</p>
+	  <p>We are not aware of any exploit of this flaw.</p>
+	  <p>CVE-2018-1000301: RTSP bad headers buffer over-read</p>
+	  <p>curl can be tricked into reading data beyond the end of a heap based
+	    buffer used to store downloaded content.</p>
+	  <p>When servers send RTSP responses back to curl, the data starts out
+	    with a set of headers. curl parses that data to separate it into a
+	    number of headers to deal with those appropriately and to find the end
+	    of the headers that signal the start of the "body" part.</p>
+	  <p>The function that splits up the response into headers is called
+	    Curl_http_readwrite_headers() and in situations where it can't find a
+	    single header in the buffer, it might end up leaving a pointer pointing
+	    into the buffer instead of to the start of the buffer which then later
+	    on may lead to an out of buffer read when code assumes that pointer
+	    points to a full buffer size worth of memory to use.</p>
+	  <p>This could potentially lead to information leakage but most likely a
+	    crash/denial of service for applications if a server triggers this flaw.</p>
+	  <p>We are not aware of any exploit of this flaw.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <url>https://curl.haxx.se/docs/security.html</url>
+      <url>https://curl.haxx.se/docs/adv_2018-82c2.html</url>
+      <url>https://curl.haxx.se/docs/adv_2018-b138.html</url>
+      <cvename>CVE-2018-1000300</cvename>
+      <cvename>CVE-2018-1000301</cvename>
+    </references>
+    <dates>
+      <discovery>2018-05-16</discovery>
+      <entry>2018-05-16</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="50210bc1-54ef-11e8-95d9-9c5c8e75236a">
     <topic>wavpack -- multiple vulnerabilities</topic>
     <affects>