Project

General

Profile

Bug #9394

Bug #9392: curl: NTLM password overflow via integer overflow (CVE-2018-14618)

[3.8] curl: NTLM password overflow via integer overflow (CVE-2018-14618)

Added by Alicha CH 5 months ago. Updated 4 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Security
Target version:
Start date:
09/06/2018
Due date:
% Done:

100%

Estimated time:
Affected versions:
Security IDs:

Description

The internal function Curl_ntlm_core_mk_nt_hash multiplies the length of the password by two (SUM)
to figure out how large temporary storage area to allocate from the heap. The length value is then subsequently
used to iterate over the password and generate output into the allocated storage buffer. On systems with a 32 bit size_t,
the math to calculate SUM triggers an integer overflow when the password length exceeds 2GB (2^31 bytes). This integer
overflow usually causes a very small buffer to actually get allocated instead of the intended very huge one, making the
use of that buffer end up in a heap buffer overflow.

Affected versions:

libcurl 7.15.4 to and including 7.61.0

Not affected versions:

libcurl < 7.15.4 and >= 7.61.1

References:

https://curl.haxx.se/docs/CVE-2018-14618.html

Patch:

https://github.com/curl/curl/commit/57d299a499155d4b327e341c6024e293b0418243.patch

Associated revisions

Revision 9866a098 (diff)
Added by Natanael Copa 5 months ago

main/curl: security upgrade to 7.61.1 (CVE-2018-14618)

fixes #9394

History

#1 Updated by Natanael Copa 5 months ago

  • Status changed from New to Resolved
  • % Done changed from 0 to 100

#2 Updated by Alicha CH 4 months ago

  • Project changed from Alpine Security to Alpine Linux
  • Category set to Security
  • Status changed from Resolved to Closed
  • Security IDs deleted (CVE-2018-14618 )

Also available in: Atom PDF