oss-sec mailing list archives
[SECURITY ADVISORY] curl - SASL password overflow via integer overflow
From: Daniel Stenberg <daniel () haxx se>
Date: Wed, 31 Oct 2018 07:55:37 +0100 (CET)
SASL password overflow via integer overflow =========================================== Project curl Security Advisory, October 31st 2018 - [Permalink](https://curl.haxx.se/docs/CVE-2018-16839.html) VULNERABILITY ------------- libcurl contains a buffer overrun in the SASL authentication code. The internal function `Curl_auth_create_plain_message` fails to correctly verify that the passed in lengths for name and password aren't too long, then calculates a buffer size to allocate. On systems with a 32 bit `size_t`, the math to calculate the buffer size triggers an integer overflow when the user name length exceeds 2GB (2^31 bytes). This integer overflow usually causes a very small buffer to actually get allocated instead of the intended very huge one, making the use of that buffer end up in a heap buffer overflow. (This bug is very similar to [CVE-2017-14618](https://curl.haxx.se/docs/CVE-2018-14618.html).) We are not aware of any exploit of this flaw. INFO ---- The affected function can only be invoked when using POP3(S), IMAP(S) or SMTP(S). This bug was introduced in [commit c56f9797e7feb7c2dc](https://github.com/curl/curl/commit/c56f9797e7feb7c2dc), August 2013. The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2018-16839 to this issue. CWE-131: Incorrect Calculation of Buffer Size Severity: 3.2 (Low) AFFECTED VERSIONS ----------------- This issue is only present on 32 bit systems. It also requires the username field to use more than 2GB of memory, which should be rare. - Affected versions: libcurl 7.33.0 to and including 7.61.1 - Not affected versions: libcurl < 7.33.0 and >= 7.62.0 curl is used by many applications, but not always advertised as such. THE SOLUTION ------------ In libcurl version 7.62.0, the integer overflow is avoided. An error will be returned if a too long user name is attempted. A [patch for CVE-2018-16839](https://github.com/curl/curl/commit/f3a24d7916b9173c69a3e0ee790102993833d6c5) is available. RECOMMENDATIONS --------------- We suggest you take one of the following actions immediately, in order of preference: A - Upgrade curl to version 7.62.0 B - Apply the patch to your version and rebuild C - Put length restrictions on the username field you can pass to libcurl TIME LINE --------- It was reported to the curl project on September 6, 2018. We contacted distros@openwall on October 22. curl 7.62.0 was released on October 31 2018, coordinated with the publication of this advisory. CREDITS ------- Reported by Harry Sintonen. Patch by Daniel Stenberg. Thanks a lot! -- / daniel.haxx.se
Current thread:
- [SECURITY ADVISORY] curl - SASL password overflow via integer overflow Daniel Stenberg (Oct 30)