Project

General

Profile

Bug #9992

Bug #9990: curl: Multiple vulnerabilities (CVE-2018-16890, CVE-2019-3822, CVE-2019-3823)

[3.8] curl: Multiple vulnerabilities (CVE-2018-16890, CVE-2019-3822, CVE-2019-3823)

Added by Alicha CH about 2 months ago. Updated about 1 month ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Security
Target version:
Start date:
02/20/2019
Due date:
% Done:

100%

Estimated time:
Affected versions:
Security IDs:
CVE-2018-16890, CVE-2019-3822, CVE-2019-3823

Description

CVE-2018-16890: NTLM type-2 out-of-bounds buffer read

The function handling incoming NTLM type-2 messages (lib/vauth/ntlm.c:ntlm_decode_type2_target) does not validate incoming data correctly and is subject to an integer overflow vulnerability.
Using that overflow, a malicious or broken NTLM server could trick libcurl to accept a bad length + offset combination that would lead to a buffer read out-of-bounds.

Affected versions:

libcurl 7.36.0 to and including 7.63.0

Not affected versions:

libcurl < 7.36.0 and >= 7.64.0

References:

https://curl.haxx.se/docs/CVE-2018-16890.html

Patch:

https://github.com/curl/curl/commit/b780b30d1377adb10bbe774835f49e9b237fb9bb

CVE-2019-3822: NTLMv2 type-3 header stack buffer overflow

The function creating an outgoing NTLM type-3 header (lib/vauth/ntlm.c:Curl_auth_create_ntlm_type3_message()), generates the request HTTP header contents based on previously received data. The check that exists to prevent the local buffer from getting overflowed is implemented wrongly (using unsigned math) and as such it does not prevent the overflow from happening.
This output data can grow larger than the local buffer if very large "nt response" data is extracted from a previous NTLMv2 header provided by the malicious or broken HTTP server. Such a "large value" needs to be around 1000 bytes or more. The actual payload data copied to the target buffer comes from the NTLMv2 type-2 response header.

Affected versions:

libcurl 7.36.0 to and including 7.63.0

Not affected versions:

libcurl < 7.36.0 and >= 7.64.0

References:

https://curl.haxx.se/docs/CVE-2019-3822.html

Patch:

https://github.com/curl/curl/commit/86724581b6c

CVE-2019-3823: SMTP end-of-response out-of-bounds read

If the buffer passed to smtp_endofresp() isn't NUL terminated and contains no character ending the parsed number, and len is set to 5,
then the strtol() call reads beyond the allocated buffer. The read contents will not be returned to the caller.

Affected versions:

libcurl 7.34.0 to and including 7.63.0

Not affected versions:

libcurl < 7.34.0

References:

https://curl.haxx.se/docs/CVE-2019-3823.html

Patch:

https://github.com/curl/curl/commit/39df4073e5413fcdbb5a38da0c1ce6f1c0ceb484

Associated revisions

Revision 5ba18f0c (diff)
Added by Leonardo Arena about 1 month ago

main/curl: security fixes

CVE-2018-16890, CVE-2019-3822, CVE-2019-3823

Fixes #9992

History

#1 Updated by Anonymous about 1 month ago

  • Status changed from New to Resolved
  • % Done changed from 0 to 100

#2 Updated by Alicha CH about 1 month ago

  • Project changed from Alpine Security to Alpine Linux
  • Category set to Security
  • Status changed from Resolved to Closed

Also available in: Atom PDF