Bug 1112758 - (CVE-2018-16839) VUL-0: CVE-2018-16839: curl: SASL password overflow via integer overflow
(CVE-2018-16839)
VUL-0: CVE-2018-16839: curl: SASL password overflow via integer overflow
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
CVSSv3:RedHat:CVE-2018-16839:4.3:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-10-22 12:57 UTC by Karol Babioch
Modified: 2019-05-02 14:40 UTC (History)
5 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
CVE-2018-AA18.md (2.60 KB, text/markdown)
2018-10-22 12:59 UTC, Karol Babioch
Details
CVE-2018-AA20.md (1.79 KB, text/markdown)
2018-10-22 12:59 UTC, Karol Babioch
Details
0001-Curl_auth_create_plain_message-fix-too-large-input-c.patch (954 bytes, patch)
2018-10-24 09:05 UTC, Karol Babioch
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Comment 10 Karol Babioch 2018-10-24 09:05:37 UTC
Created attachment 786974 [details]
0001-Curl_auth_create_plain_message-fix-too-large-input-c.patch
Comment 15 Alexander Bergmann 2018-10-31 07:11:42 UTC
Public now:
https://www.openwall.com/lists/oss-security/2018/10/31/1

SASL password overflow via integer overflow
===========================================

Project curl Security Advisory, October 31st 2018 -
[Permalink](https://curl.haxx.se/docs/CVE-2018-16839.html)

VULNERABILITY
-------------

libcurl contains a buffer overrun in the SASL authentication code.

The internal function `Curl_auth_create_plain_message` fails to correctly
verify that the passed in lengths for name and password aren't too long, then
calculates a buffer size to allocate.

On systems with a 32 bit `size_t`, the math to calculate the buffer size
triggers an integer overflow when the user name length exceeds 2GB (2^31
bytes). This integer overflow usually causes a very small buffer to actually
get allocated instead of the intended very huge one, making the use of that
buffer end up in a heap buffer overflow.

(This bug is very similar to
[CVE-2017-14618](https://curl.haxx.se/docs/CVE-2018-14618.html).)

We are not aware of any exploit of this flaw.

INFO
----

The affected function can only be invoked when using POP3(S), IMAP(S) or
SMTP(S).

This bug was introduced in [commit
c56f9797e7feb7c2dc](https://github.com/curl/curl/commit/c56f9797e7feb7c2dc),
August 2013.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2018-16839 to this issue.

CWE-131: Incorrect Calculation of Buffer Size

Severity: 3.2 (Low)

AFFECTED VERSIONS
-----------------

This issue is only present on 32 bit systems. It also requires the username
field to use more than 2GB of memory, which should be rare.

- Affected versions: libcurl 7.33.0 to and including 7.61.1
- Not affected versions: libcurl < 7.33.0 and >= 7.62.0

curl is used by many applications, but not always advertised as such.

THE SOLUTION
------------

In libcurl version 7.62.0, the integer overflow is avoided. An error will be
returned if a too long user name is attempted.

A [patch for
CVE-2018-16839](https://github.com/curl/curl/commit/f3a24d7916b9173c69a3e0ee790102993833d6c5)
is available.

RECOMMENDATIONS
---------------

We suggest you take one of the following actions immediately, in order of
preference:

  A - Upgrade curl to version 7.62.0

  B - Apply the patch to your version and rebuild

  C - Put length restrictions on the username field you can pass to libcurl

TIME LINE
---------

It was reported to the curl project on September 6, 2018.  We contacted
distros@...nwall on October 22.

curl 7.62.0 was released on October 31 2018, coordinated with the publication
of this advisory.

CREDITS
-------

Reported by Harry Sintonen. Patch by Daniel Stenberg.

Thanks a lot!
Comment 16 Pedro Monreal Gonzalez 2018-10-31 13:42:30 UTC
Submitted to Factory: https://build.opensuse.org/request/show/645709
Comment 17 Swamp Workflow Management 2018-11-02 20:10:10 UTC
SUSE-SU-2018:3608-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1112758,1113660
CVE References: CVE-2018-16840,CVE-2018-16842
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    curl-7.37.0-37.31.1
SUSE Linux Enterprise Server 12-SP3 (src):    curl-7.37.0-37.31.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    curl-7.37.0-37.31.1
SUSE CaaS Platform ALL (src):    curl-7.37.0-37.31.1
SUSE CaaS Platform 3.0 (src):    curl-7.37.0-37.31.1
OpenStack Cloud Magnum Orchestration 7 (src):    curl-7.37.0-37.31.1
Comment 19 Swamp Workflow Management 2018-11-05 20:14:12 UTC
SUSE-SU-2018:3624-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1112758,1113660
CVE References: CVE-2018-16839,CVE-2018-16840,CVE-2018-16842
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    curl-mini-7.60.0-3.14.2
SUSE Linux Enterprise Module for Basesystem 15 (src):    curl-7.60.0-3.14.3
Comment 20 Swamp Workflow Management 2018-11-08 20:10:12 UTC
SUSE-SU-2018:3681-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1112758,1113660
CVE References: CVE-2018-16840,CVE-2018-16842
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    curl-7.37.0-70.38.1
SUSE Linux Enterprise Server 11-SP4 (src):    curl-7.37.0-70.38.1
SUSE Linux Enterprise Server 11-SECURITY (src):    curl-openssl1-7.37.0-70.38.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    curl-7.37.0-70.38.1
Comment 21 Marcus Meissner 2018-11-09 06:41:07 UTC
released
Comment 22 Swamp Workflow Management 2018-11-09 23:16:42 UTC
openSUSE-SU-2018:3699-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1112758,1113660
CVE References: CVE-2018-16840,CVE-2018-16842
Sources used:
openSUSE Leap 42.3 (src):    curl-7.37.0-42.1
Comment 23 Swamp Workflow Management 2018-11-09 23:22:36 UTC
openSUSE-SU-2018:3706-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1112758,1113660
CVE References: CVE-2018-16839,CVE-2018-16840,CVE-2018-16842
Sources used:
openSUSE Leap 15.0 (src):    curl-7.60.0-lp150.2.15.1, curl-mini-7.60.0-lp150.2.15.1
Comment 26 Swamp Workflow Management 2019-02-13 11:11:18 UTC
SUSE-SU-2019:0339-1: An update that fixes 6 vulnerabilities is now available.

Category: security (important)
Bug References: 1112758,1113029,1113660,1123371,1123377,1123378
CVE References: CVE-2018-16839,CVE-2018-16840,CVE-2018-16842,CVE-2018-16890,CVE-2019-3822,CVE-2019-3823
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    curl-7.60.0-4.3.1
SUSE Linux Enterprise Server 12-SP4 (src):    curl-7.60.0-4.3.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    curl-7.60.0-4.3.1
Comment 29 Swamp Workflow Management 2019-04-23 22:09:21 UTC
SUSE-SU-2019:0996-1: An update that solves one vulnerability and has one errata is now available.

Category: security (important)
Bug References: 1112758,1131886
CVE References: CVE-2018-16839
Sources used:
SUSE OpenStack Cloud 7 (src):    curl-7.37.0-37.37.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    curl-7.37.0-37.37.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    curl-7.37.0-37.37.1
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    curl-7.37.0-37.37.1
SUSE Linux Enterprise Server 12-SP3 (src):    curl-7.37.0-37.37.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    curl-7.37.0-37.37.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    curl-7.37.0-37.37.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    curl-7.37.0-37.37.1
SUSE Linux Enterprise Server 12-LTSS (src):    curl-7.37.0-37.37.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    curl-7.37.0-37.37.1
SUSE Enterprise Storage 4 (src):    curl-7.37.0-37.37.1
SUSE CaaS Platform ALL (src):    curl-7.37.0-37.37.1
SUSE CaaS Platform 3.0 (src):    curl-7.37.0-37.37.1
OpenStack Cloud Magnum Orchestration 7 (src):    curl-7.37.0-37.37.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.