[3.8] curl: NTLM password overflow via integer overflow (CVE-2018-14618)
The internal function Curl_ntlm_core_mk_nt_hash multiplies the
length of the password by two (SUM)
to figure out how large temporary storage area to allocate from the
heap. The length value is then subsequently
used to iterate over the password and generate output into the allocated
storage buffer. On systems with a 32 bit size_t,
the math to calculate SUM triggers an integer overflow when the password
length exceeds 2GB (2^31 bytes). This integer
overflow usually causes a very small buffer to actually get allocated
instead of the intended very huge one, making the
use of that buffer end up in a heap buffer overflow.
Affected versions:
libcurl 7.15.4 to and including 7.61.0
Not affected versions:
libcurl < 7.15.4 and >= 7.61.1
References:
https://curl.haxx.se/docs/CVE-2018-14618.html
Patch:
https://github.com/curl/curl/commit/57d299a499155d4b327e341c6024e293b0418243.patch
(from redmine: issue id 9394, created on 2018-09-06, closed on 2018-09-20)
- Relations:
- parent #9392 (closed)
- Changesets:
- Revision 9866a098 by Natanael Copa on 2018-09-10T17:19:21Z:
main/curl: security upgrade to 7.61.1 (CVE-2018-14618)
fixes #9394