Curl/Rsync Updates for Arch Linux

Arch Linux 752 Published 2018-01-30 09:12 by Philipp Esselbach

News

The following security advisories has been published for Arch Linux:

ASA-201801-20: curl: multiple issues
ASA-201801-21: rsync: multiple issues
ASA-201801-22: lib32-curl: multiple issues
ASA-201801-23: libcurl-compat: multiple issues
ASA-201801-24: libcurl-gnutls: multiple issues
ASA-201801-25: lib32-libcurl-gnutls: multiple issues
ASA-201801-26: lib32-libcurl-compat: multiple issues

ASA-201801-20: curl: multiple issues

Arch Linux Security Advisory ASA-201801-20
==========================================

Severity: Medium
Date : 2018-01-28
CVE-ID : CVE-2018-1000005 CVE-2018-1000007
Package : curl
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-593

Summary
=======

The package curl before version 7.58.0-1 is vulnerable to multiple
issues including denial of service and information disclosure.

Resolution
==========

Upgrade to 7.58.0-1.

# pacman -Syu "curl>=7.58.0-1"

The problems have been fixed upstream in version 7.58.0.

Workaround
==========

None.

Description
===========

- CVE-2018-1000005 (denial of service)

libcurl contains an out bounds read in code handling HTTP/2 trailers.
It was reported that reading an HTTP/2 trailer could mess up future
trailers since the stored size was one byte less than required. The
problem is that the code that creates HTTP/1-like headers from the
HTTP/2 trailer data once appended a string like `":"` to the target
buffer, while this was recently changed to `": "` (a space was added
after the colon) but the associated math wasn't updated
correspondingly. When accessed, the data is read out of bounds and
causes either a crash or that the (too large) data gets passed to the
libcurl callback. This might lead to a denial-of-service situation or
an information disclosure if someone has a service that echoes back or
uses the trailers for something.

- CVE-2018-1000007 (information disclosure)

libcurl might leak authentication data to third parties. When asked to
send custom headers in its HTTP requests, libcurl will send that set of
headers first to the host in the initial URL but also, if asked to
follow redirects and a 30X HTTP response code is returned, to the host
mentioned in URL in the `Location:` response header value. Sending the
same set of headers to subsequest hosts is in particular a problem for
applications that pass on custom `Authorization:` headers, as this
header often contains privacy sensitive information or data that could
allow others to impersonate the libcurl-using client's request.

Impact
======

A remote attacker is able to crash the application or possibly disclose
sensitive information on the affected host.

References
==========

https://curl.haxx.se/docs/adv_2018-824a.html
https://github.com/curl/curl/commit/fa3dbb9a147488a2943bda809c66fc497efe06cb
https://curl.haxx.se/docs/adv_2018-b3bf.html
https://github.com/curl/curl/commit/af32cd3859336ab963591ca0df9b1e33a7ee066b
https://security.archlinux.org/CVE-2018-1000005
https://security.archlinux.org/CVE-2018-1000007

ASA-201801-21: rsync: multiple issues

Arch Linux Security Advisory ASA-201801-21
==========================================

Severity: High
Date : 2018-01-29
CVE-ID : CVE-2017-16548 CVE-2017-17433 CVE-2017-17434 CVE-2018-5764
Package : rsync
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-542

Summary
=======

The package rsync before version 3.1.3pre1-1 is vulnerable to multiple
issues including access restriction bypass and denial of service.

Resolution
==========

Upgrade to 3.1.3pre1-1.

# pacman -Syu "rsync>=3.1.3pre1-1"

The problems have been fixed upstream in version 3.1.3pre1.

Workaround
==========

None.

Description
===========

- CVE-2017-16548 (denial of service)

The receive_xattr function in xattrs.c in rsync 3.1.2 and
3.1.3-development does not check for a trailing '\0' character in an
xattr name, which allows remote attackers to cause a denial of service
(heap-based buffer over-read and application crash) or possibly have
unspecified other impact by sending crafted data to the daemon.

- CVE-2017-17433 (access restriction bypass)

The recv_files function in receiver.c in the daemon in rsync 3.1.2, and
3.1.3-development before 2017-11-03, proceeds with certain file
metadata updates before checking for a filename in the
daemon_filter_list data structure, which allows remote attackers to
bypass intended access restrictions.

- CVE-2017-17434 (access restriction bypass)

The daemon in rsync 3.1.2, and 3.1.3-development before 2017-12-03,
does not check for fnamecmp filenames in the daemon_filter_list data
structure (in the recv_files function in receiver.c) and also does not
apply the sanitize_paths protection mechanism to pathnames found in
"xname follows" strings (in the read_ndx_and_attrs function in
rsync.c), which allows remote attackers to bypass intended access
restrictions.

- CVE-2018-5764 (access restriction bypass)

The parse_arguments function in options.c in rsyncd in rsync before
3.1.3 does not prevent multiple --protect-args uses, which allows
remote attackers to bypass an argument-sanitization protection
mechanism.

Impact
======

A remote attacker is able to bypass access restrictions or cause a
denial of service by sending a maliciously crafted request to rsyncd.

References
==========

https://bugs.archlinux.org/task/57111
https://git.samba.org/?p=rsync.git;a=commitdiff;h=47a63d90e71d3e19e0e96052bb8c6b9cb140ecc1
https://git.samba.org/?p=rsync.git;a=commitdiff;h=3e06d40029cfdce9d0f73d87cfd4edaf54be9c51
https://git.samba.org/?p=rsync.git;a=commitdiff;h=5509597decdbd7b91994210f700329d8a35e70a1
https://git.samba.org/?p=rsync.git;a=commitdiff;h=70aeb5fddd1b2f8e143276f8d5a085db16c593b9
https://git.samba.org/?p=rsync.git;a=commitdiff;h=7706303828fcde524222babb2833864a4bd09e07
https://security.archlinux.org/CVE-2017-16548
https://security.archlinux.org/CVE-2017-17433
https://security.archlinux.org/CVE-2017-17434
https://security.archlinux.org/CVE-2018-5764

ASA-201801-22: lib32-curl: multiple issues

Arch Linux Security Advisory ASA-201801-22
==========================================

Severity: Medium
Date : 2018-01-29
CVE-ID : CVE-2018-1000005 CVE-2018-1000007
Package : lib32-curl
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-594

Summary
=======

The package lib32-curl before version 7.58.0-1 is vulnerable to
multiple issues including denial of service and information disclosure.

Resolution
==========

Upgrade to 7.58.0-1.

# pacman -Syu "lib32-curl>=7.58.0-1"

The problems have been fixed upstream in version 7.58.0.

Workaround
==========

None.

Description
===========

- CVE-2018-1000005 (denial of service)

libcurl contains an out bounds read in code handling HTTP/2 trailers.
It was reported that reading an HTTP/2 trailer could mess up future
trailers since the stored size was one byte less than required. The
problem is that the code that creates HTTP/1-like headers from the
HTTP/2 trailer data once appended a string like `":"` to the target
buffer, while this was recently changed to `": "` (a space was added
after the colon) but the associated math wasn't updated
correspondingly. When accessed, the data is read out of bounds and
causes either a crash or that the (too large) data gets passed to the
libcurl callback. This might lead to a denial-of-service situation or
an information disclosure if someone has a service that echoes back or
uses the trailers for something.

- CVE-2018-1000007 (information disclosure)

libcurl might leak authentication data to third parties. When asked to
send custom headers in its HTTP requests, libcurl will send that set of
headers first to the host in the initial URL but also, if asked to
follow redirects and a 30X HTTP response code is returned, to the host
mentioned in URL in the `Location:` response header value. Sending the
same set of headers to subsequest hosts is in particular a problem for
applications that pass on custom `Authorization:` headers, as this
header often contains privacy sensitive information or data that could
allow others to impersonate the libcurl-using client's request.

Impact
======

A remote attacker is able to crash the application or possibly disclose
sensitive information on the affected host.

References
==========

https://curl.haxx.se/docs/adv_2018-824a.html
https://github.com/curl/curl/commit/fa3dbb9a147488a2943bda809c66fc497efe06cb
https://curl.haxx.se/docs/adv_2018-b3bf.html
https://github.com/curl/curl/commit/af32cd3859336ab963591ca0df9b1e33a7ee066b
https://security.archlinux.org/CVE-2018-1000005
https://security.archlinux.org/CVE-2018-1000007

ASA-201801-23: libcurl-compat: multiple issues

Arch Linux Security Advisory ASA-201801-23
==========================================

Severity: Medium
Date : 2018-01-29
CVE-ID : CVE-2018-1000005 CVE-2018-1000007
Package : libcurl-compat
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-595

Summary
=======

The package libcurl-compat before version 7.58.0-1 is vulnerable to
multiple issues including denial of service and information disclosure.

Resolution
==========

Upgrade to 7.58.0-1.

# pacman -Syu "libcurl-compat>=7.58.0-1"

The problems have been fixed upstream in version 7.58.0.

Workaround
==========

None.

Description
===========

- CVE-2018-1000005 (denial of service)

libcurl contains an out bounds read in code handling HTTP/2 trailers.
It was reported that reading an HTTP/2 trailer could mess up future
trailers since the stored size was one byte less than required. The
problem is that the code that creates HTTP/1-like headers from the
HTTP/2 trailer data once appended a string like `":"` to the target
buffer, while this was recently changed to `": "` (a space was added
after the colon) but the associated math wasn't updated
correspondingly. When accessed, the data is read out of bounds and
causes either a crash or that the (too large) data gets passed to the
libcurl callback. This might lead to a denial-of-service situation or
an information disclosure if someone has a service that echoes back or
uses the trailers for something.

- CVE-2018-1000007 (information disclosure)

libcurl might leak authentication data to third parties. When asked to
send custom headers in its HTTP requests, libcurl will send that set of
headers first to the host in the initial URL but also, if asked to
follow redirects and a 30X HTTP response code is returned, to the host
mentioned in URL in the `Location:` response header value. Sending the
same set of headers to subsequest hosts is in particular a problem for
applications that pass on custom `Authorization:` headers, as this
header often contains privacy sensitive information or data that could
allow others to impersonate the libcurl-using client's request.

Impact
======

A remote attacker is able to crash the application or possibly disclose
sensitive information on the affected host.

References
==========

https://curl.haxx.se/docs/adv_2018-824a.html
https://github.com/curl/curl/commit/fa3dbb9a147488a2943bda809c66fc497efe06cb
https://curl.haxx.se/docs/adv_2018-b3bf.html
https://github.com/curl/curl/commit/af32cd3859336ab963591ca0df9b1e33a7ee066b
https://security.archlinux.org/CVE-2018-1000005
https://security.archlinux.org/CVE-2018-1000007

ASA-201801-24: libcurl-gnutls: multiple issues

Arch Linux Security Advisory ASA-201801-24
==========================================

Severity: Medium
Date : 2018-01-29
CVE-ID : CVE-2018-1000005 CVE-2018-1000007
Package : libcurl-gnutls
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-596

Summary
=======

The package libcurl-gnutls before version 7.58.0-1 is vulnerable to
multiple issues including denial of service and information disclosure.

Resolution
==========

Upgrade to 7.58.0-1.

# pacman -Syu "libcurl-gnutls>=7.58.0-1"

The problems have been fixed upstream in version 7.58.0.

Workaround
==========

None.

Description
===========

- CVE-2018-1000005 (denial of service)

libcurl contains an out bounds read in code handling HTTP/2 trailers.
It was reported that reading an HTTP/2 trailer could mess up future
trailers since the stored size was one byte less than required. The
problem is that the code that creates HTTP/1-like headers from the
HTTP/2 trailer data once appended a string like `":"` to the target
buffer, while this was recently changed to `": "` (a space was added
after the colon) but the associated math wasn't updated
correspondingly. When accessed, the data is read out of bounds and
causes either a crash or that the (too large) data gets passed to the
libcurl callback. This might lead to a denial-of-service situation or
an information disclosure if someone has a service that echoes back or
uses the trailers for something.

- CVE-2018-1000007 (information disclosure)

libcurl might leak authentication data to third parties. When asked to
send custom headers in its HTTP requests, libcurl will send that set of
headers first to the host in the initial URL but also, if asked to
follow redirects and a 30X HTTP response code is returned, to the host
mentioned in URL in the `Location:` response header value. Sending the
same set of headers to subsequest hosts is in particular a problem for
applications that pass on custom `Authorization:` headers, as this
header often contains privacy sensitive information or data that could
allow others to impersonate the libcurl-using client's request.

Impact
======

A remote attacker is able to crash the application or possibly disclose
sensitive information on the affected host.

References
==========

https://curl.haxx.se/docs/adv_2018-824a.html
https://github.com/curl/curl/commit/fa3dbb9a147488a2943bda809c66fc497efe06cb
https://curl.haxx.se/docs/adv_2018-b3bf.html
https://github.com/curl/curl/commit/af32cd3859336ab963591ca0df9b1e33a7ee066b
https://security.archlinux.org/CVE-2018-1000005
https://security.archlinux.org/CVE-2018-1000007

ASA-201801-25: lib32-libcurl-gnutls: multiple issues

Arch Linux Security Advisory ASA-201801-25
==========================================

Severity: Medium
Date : 2018-01-29
CVE-ID : CVE-2018-1000005 CVE-2018-1000007
Package : lib32-libcurl-gnutls
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-597

Summary
=======

The package lib32-libcurl-gnutls before version 7.58.0-1 is vulnerable
to multiple issues including denial of service and information
disclosure.

Resolution
==========

Upgrade to 7.58.0-1.

# pacman -Syu "lib32-libcurl-gnutls>=7.58.0-1"

The problems have been fixed upstream in version 7.58.0.

Workaround
==========

None.

Description
===========

- CVE-2018-1000005 (denial of service)

libcurl contains an out bounds read in code handling HTTP/2 trailers.
It was reported that reading an HTTP/2 trailer could mess up future
trailers since the stored size was one byte less than required. The
problem is that the code that creates HTTP/1-like headers from the
HTTP/2 trailer data once appended a string like `":"` to the target
buffer, while this was recently changed to `": "` (a space was added
after the colon) but the associated math wasn't updated
correspondingly. When accessed, the data is read out of bounds and
causes either a crash or that the (too large) data gets passed to the
libcurl callback. This might lead to a denial-of-service situation or
an information disclosure if someone has a service that echoes back or
uses the trailers for something.

- CVE-2018-1000007 (information disclosure)

libcurl might leak authentication data to third parties. When asked to
send custom headers in its HTTP requests, libcurl will send that set of
headers first to the host in the initial URL but also, if asked to
follow redirects and a 30X HTTP response code is returned, to the host
mentioned in URL in the `Location:` response header value. Sending the
same set of headers to subsequest hosts is in particular a problem for
applications that pass on custom `Authorization:` headers, as this
header often contains privacy sensitive information or data that could
allow others to impersonate the libcurl-using client's request.

Impact
======

A remote attacker is able to crash the application or possibly disclose
sensitive information on the affected host.

References
==========

https://curl.haxx.se/docs/adv_2018-824a.html
https://github.com/curl/curl/commit/fa3dbb9a147488a2943bda809c66fc497efe06cb
https://curl.haxx.se/docs/adv_2018-b3bf.html
https://github.com/curl/curl/commit/af32cd3859336ab963591ca0df9b1e33a7ee066b
https://security.archlinux.org/CVE-2018-1000005
https://security.archlinux.org/CVE-2018-1000007

ASA-201801-26: lib32-libcurl-compat: multiple issues

Arch Linux Security Advisory ASA-201801-26
==========================================

Severity: Medium
Date : 2018-01-29
CVE-ID : CVE-2018-1000005 CVE-2018-1000007
Package : lib32-libcurl-compat
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-598

Summary
=======

The package lib32-libcurl-compat before version 7.58.0-1 is vulnerable
to multiple issues including denial of service and information
disclosure.

Resolution
==========

Upgrade to 7.58.0-1.

# pacman -Syu "lib32-libcurl-compat>=7.58.0-1"

The problems have been fixed upstream in version 7.58.0.

Workaround
==========

None.

Description
===========

- CVE-2018-1000005 (denial of service)

libcurl contains an out bounds read in code handling HTTP/2 trailers.
It was reported that reading an HTTP/2 trailer could mess up future
trailers since the stored size was one byte less than required. The
problem is that the code that creates HTTP/1-like headers from the
HTTP/2 trailer data once appended a string like `":"` to the target
buffer, while this was recently changed to `": "` (a space was added
after the colon) but the associated math wasn't updated
correspondingly. When accessed, the data is read out of bounds and
causes either a crash or that the (too large) data gets passed to the
libcurl callback. This might lead to a denial-of-service situation or
an information disclosure if someone has a service that echoes back or
uses the trailers for something.

- CVE-2018-1000007 (information disclosure)

libcurl might leak authentication data to third parties. When asked to
send custom headers in its HTTP requests, libcurl will send that set of
headers first to the host in the initial URL but also, if asked to
follow redirects and a 30X HTTP response code is returned, to the host
mentioned in URL in the `Location:` response header value. Sending the
same set of headers to subsequest hosts is in particular a problem for
applications that pass on custom `Authorization:` headers, as this
header often contains privacy sensitive information or data that could
allow others to impersonate the libcurl-using client's request.

Impact
======

A remote attacker is able to crash the application or possibly disclose
sensitive information on the affected host.

References
==========

https://curl.haxx.se/docs/adv_2018-824a.html
https://github.com/curl/curl/commit/fa3dbb9a147488a2943bda809c66fc497efe06cb
https://curl.haxx.se/docs/adv_2018-b3bf.html
https://github.com/curl/curl/commit/af32cd3859336ab963591ca0df9b1e33a7ee066b
https://security.archlinux.org/CVE-2018-1000005
https://security.archlinux.org/CVE-2018-1000007

Kernel/TzData Updates for Oracle Linux 6/7

Thunderbird/Kernel Updates for Ubuntu

Curl/Rsync Updates for Arch Linux

ASA-201801-20: curl: multiple issues

ASA-201801-21: rsync: multiple issues

ASA-201801-22: lib32-curl: multiple issues

ASA-201801-23: libcurl-compat: multiple issues

ASA-201801-24: libcurl-gnutls: multiple issues

ASA-201801-25: lib32-libcurl-gnutls: multiple issues

ASA-201801-26: lib32-libcurl-compat: multiple issues

Windows

Linux

macOS

Community