Daniel Stenberg
2018-10-31 06:55:42 UTC
use-after-free in handle close
==============================
Project curl Security Advisory, October 31st 2018 -
[Permalink](https://curl.haxx.se/docs/CVE-2018-16840.html)
VULNERABILITY
-------------
libcurl contains a heap use-after-free flaw in code related to closing an easy
handle.
When closing and cleaning up an "easy" handle in the `Curl_close()` function,
the library code first frees a struct (without nulling the pointer) and might
then subsequently erroneously write to a struct field within that already
freed struct.
We are not aware of any exploit of this flaw.
INFO
----
This bug was introduced in [commit
b46cfbc068](https://github.com/curl/curl/commit/b46cfbc068), February 2018.
The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2018-16840 to this issue.
CWE-416: Use After Free
Severity: 2.3 (Low)
AFFECTED VERSIONS
-----------------
- Affected versions: libcurl 7.59.0 to and including 7.61.1
- Not affected versions: libcurl < 7.59.0 and >= 7.62.0
curl is used by many applications, but not always advertised as such.
THE SOLUTION
------------
A [patch for
CVE-2018-16840](https://github.com/curl/curl/commit/81d135d67155c5295b1033679c606165d4e28f3f)
is available.
RECOMMENDATIONS
---------------
We suggest you take one of the following actions immediately, in order of
preference:
A - Upgrade curl to version 7.62.0
B - Apply the patch to your version and rebuild
TIME LINE
---------
It was reported to the curl project on October 14, 2018. We contacted
***@openwall on October 22.
curl 7.62.0 was released on October 31 2018, coordinated with the publication
of this advisory.
CREDITS
-------
Reported by Brian Carpenter, Geeknik Labs. Patch by Daniel Stenberg.
Thanks a lot!
==============================
Project curl Security Advisory, October 31st 2018 -
[Permalink](https://curl.haxx.se/docs/CVE-2018-16840.html)
VULNERABILITY
-------------
libcurl contains a heap use-after-free flaw in code related to closing an easy
handle.
When closing and cleaning up an "easy" handle in the `Curl_close()` function,
the library code first frees a struct (without nulling the pointer) and might
then subsequently erroneously write to a struct field within that already
freed struct.
We are not aware of any exploit of this flaw.
INFO
----
This bug was introduced in [commit
b46cfbc068](https://github.com/curl/curl/commit/b46cfbc068), February 2018.
The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2018-16840 to this issue.
CWE-416: Use After Free
Severity: 2.3 (Low)
AFFECTED VERSIONS
-----------------
- Affected versions: libcurl 7.59.0 to and including 7.61.1
- Not affected versions: libcurl < 7.59.0 and >= 7.62.0
curl is used by many applications, but not always advertised as such.
THE SOLUTION
------------
A [patch for
CVE-2018-16840](https://github.com/curl/curl/commit/81d135d67155c5295b1033679c606165d4e28f3f)
is available.
RECOMMENDATIONS
---------------
We suggest you take one of the following actions immediately, in order of
preference:
A - Upgrade curl to version 7.62.0
B - Apply the patch to your version and rebuild
TIME LINE
---------
It was reported to the curl project on October 14, 2018. We contacted
***@openwall on October 22.
curl 7.62.0 was released on October 31 2018, coordinated with the publication
of this advisory.
CREDITS
-------
Reported by Brian Carpenter, Geeknik Labs. Patch by Daniel Stenberg.
Thanks a lot!
--
/ daniel.haxx.se
/ daniel.haxx.se