Bug 1123378 (CVE-2019-3823)

Summary: VUL-1: CVE-2019-3823: curl: SMTP end-of-response out-of-bounds read
Product: [Novell Products] SUSE Security Incidents Reporter: Alexandros Toptsoglou <atoptsoglou>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P4 - Low CC: meissner, pmonrealgonzalez
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/223837/
Whiteboard: CVSSv3:SUSE:CVE-2019-3823:4.3:(AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) CVSSv3:RedHat:CVE-2019-3823:4.3:(AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) CVSSv2:NVD:CVE-2019-3823:7.5:(AV:N/AC:L/Au:N/C:P/I:P/A:P) CVSSv3:NVD:CVE-2019-3823:9.8:(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Comment 4 Marcus Meissner 2019-01-29 06:28:37 UTC
CVE-2019-3823
Comment 7 Marcus Meissner 2019-02-06 07:47:35 UTC
is public now

SMTP end-of-response out-of-bounds read
=======================================

Project curl Security Advisory, February 6th 2019 -
[Permalink](https://curl.haxx.se/docs/CVE-2019-3823.html)

VULNERABILITY
-------------

libcurl contains a heap out-of-bounds read in the code handling the
end-of-response for SMTP.

If the buffer passed to `smtp_endofresp()` isn't NUL terminated and contains
no character ending the parsed number, and `len` is set to 5, then the
`strtol()` call reads beyond the allocated buffer. The read contents will not
be returned to the caller.

We are not aware of any exploit of this flaw.

INFO
----

This bug was introduced in October 2013 in
[commit 2766262a68](https://github.com/curl/curl/commit/2766262a68).

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2019-3823 to this issue.

CWE-125: Out-of-bounds Read

Severity: 3.7 (Low)

AFFECTED VERSIONS
-----------------

- Affected versions: libcurl 7.34.0 to and including 7.63.0
- Not affected versions: libcurl < 7.34.0

libcurl is used by many applications, but not always advertised as such.

THE SOLUTION
------------

A [patch for CVE-2019-3823](https://github.com/curl/curl/commit/39df4073e5413fcdbb5a38da0c1ce6f1c0ceb484) is available.

RECOMMENDATIONS
--------------

We suggest you take one of the following actions immediately, in order of
preference:

  A - Upgrade curl to version 7.64.0

  B - Apply the patch to your version and rebuild

  C - Turn off SMTP

TIMELINE
--------

The issue was reported to the curl project on January 18, 2019. A patch was
communicated to the reporter on January 19, 2019. We contacted distros@openwall
on January 28.

curl 7.64.0 was released on February 6 2019, coordinated with the publication
of this advisory.

CREDITS
-------

Reported by Brian Carpenter, Geeknik Labs. Patch by Daniel Gustafsson

Thanks a lot!

-- 

  / daniel.haxx.se
Comment 8 Swamp Workflow Management 2019-02-06 11:11:11 UTC
SUSE-SU-2019:0248-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1123371,1123377,1123378
CVE References: CVE-2018-16890,CVE-2019-3822,CVE-2019-3823
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    curl-mini-7.60.0-3.17.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    curl-7.60.0-3.17.1
Comment 9 Pedro Monreal Gonzalez 2019-02-06 11:28:39 UTC
Updated to 7.64.0 in Factory:
https://build.opensuse.org/request/show/672083
Comment 10 Swamp Workflow Management 2019-02-06 14:54:49 UTC
SUSE-SU-2019:0249-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1123371,1123377,1123378
CVE References: CVE-2018-16890,CVE-2019-3822,CVE-2019-3823
Sources used:
SUSE OpenStack Cloud 7 (src):    curl-7.37.0-37.34.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    curl-7.37.0-37.34.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    curl-7.37.0-37.34.1
SUSE Linux Enterprise Server 12-SP3 (src):    curl-7.37.0-37.34.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    curl-7.37.0-37.34.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    curl-7.37.0-37.34.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    curl-7.37.0-37.34.1
SUSE Linux Enterprise Server 12-LTSS (src):    curl-7.37.0-37.34.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    curl-7.37.0-37.34.1
SUSE Enterprise Storage 4 (src):    curl-7.37.0-37.34.1
SUSE CaaS Platform ALL (src):    curl-7.37.0-37.34.1
SUSE CaaS Platform 3.0 (src):    curl-7.37.0-37.34.1
OpenStack Cloud Magnum Orchestration 7 (src):    curl-7.37.0-37.34.1
Comment 11 Pedro Monreal Gonzalez 2019-02-07 12:11:15 UTC
Submitted to SUSE:SLE-12-SP4:Update:
https://build.suse.de/request/show/183785
Comment 14 Swamp Workflow Management 2019-02-13 11:12:02 UTC
SUSE-SU-2019:0339-1: An update that fixes 6 vulnerabilities is now available.

Category: security (important)
Bug References: 1112758,1113029,1113660,1123371,1123377,1123378
CVE References: CVE-2018-16839,CVE-2018-16840,CVE-2018-16842,CVE-2018-16890,CVE-2019-3822,CVE-2019-3823
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    curl-7.60.0-4.3.1
SUSE Linux Enterprise Server 12-SP4 (src):    curl-7.60.0-4.3.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    curl-7.60.0-4.3.1
Comment 15 Swamp Workflow Management 2019-02-14 14:09:42 UTC
openSUSE-SU-2019:0173-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1123371,1123377,1123378
CVE References: CVE-2018-16890,CVE-2019-3822,CVE-2019-3823
Sources used:
openSUSE Leap 42.3 (src):    curl-7.37.0-45.1
Comment 16 Swamp Workflow Management 2019-02-14 14:11:30 UTC
openSUSE-SU-2019:0174-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1123371,1123377,1123378
CVE References: CVE-2018-16890,CVE-2019-3822,CVE-2019-3823
Sources used:
openSUSE Leap 15.0 (src):    curl-7.60.0-lp150.2.18.1, curl-mini-7.60.0-lp150.2.18.1
Comment 17 Marcus Meissner 2019-04-05 15:20:15 UTC
released
Comment 18 Swamp Workflow Management 2019-04-12 10:12:28 UTC
SUSE-SU-2019:0249-2: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1123371,1123377,1123378
CVE References: CVE-2018-16890,CVE-2019-3822,CVE-2019-3823
Sources used:
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    curl-7.37.0-37.34.1

*** NOTE: This information is not intended to be used for external
    communication, because this may only be a partial fix.
    If you have questions please reach out to maintenance coordination.