ASA-2018-00019 – curl: Use-after-free in handle close

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2018-00019

Identifier(s)

ASA-2018-00019, CVE-2018-16840

Title

Use-after-free in handle close

Vendor(s)

the Curl project

Product(s)

curl

Affected version(s)

libcurl 7.59.0 to and including 7.61.1

Fixed version(s)

libcurl >= 7.62.0

Proof of concept

Unknown

Description

libcurl contains a heap use-after-free flaw in code related to closing an easy handle.

When closing and cleaning up an “easy” handle in the Curl_close() function, the library code first frees a struct (without nulling the pointer) and might then subsequently erroneously write to a struct field within that already freed struct.

Technical details

Unknown

Credits

Brian Carpenter (Geeknik Labs)

Reference(s)

CURL 7.62.0 MOAR STUFF
https://daniel.haxx.se/blog/2018/10/31/curl-7-62-0-moar-stuff/

use-after-free in handle close
https://curl.haxx.se/docs/CVE-2018-16840.html

TODO fixed: Detect when called from within callbacks
https://github.com/curl/curl/commit/b46cfbc068

Curl_close: clear data->multi_easy on free to avoid use-after-free
https://github.com/curl/curl/commit/81d135d67155c5295b1033679c606165d4e28f3f

CVE-2018-16840
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16840

CVE-2018-16840
https://nvd.nist.gov/vuln/detail/CVE-2018-16840

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: February 6, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.