Bugzilla – Bug 1112758
VUL-0: CVE-2018-16839: curl: SASL password overflow via integer overflow
Last modified: 2019-05-02 14:40:26 UTC
Created attachment 786974 [details] 0001-Curl_auth_create_plain_message-fix-too-large-input-c.patch
Public now: https://www.openwall.com/lists/oss-security/2018/10/31/1 SASL password overflow via integer overflow =========================================== Project curl Security Advisory, October 31st 2018 - [Permalink](https://curl.haxx.se/docs/CVE-2018-16839.html) VULNERABILITY ------------- libcurl contains a buffer overrun in the SASL authentication code. The internal function `Curl_auth_create_plain_message` fails to correctly verify that the passed in lengths for name and password aren't too long, then calculates a buffer size to allocate. On systems with a 32 bit `size_t`, the math to calculate the buffer size triggers an integer overflow when the user name length exceeds 2GB (2^31 bytes). This integer overflow usually causes a very small buffer to actually get allocated instead of the intended very huge one, making the use of that buffer end up in a heap buffer overflow. (This bug is very similar to [CVE-2017-14618](https://curl.haxx.se/docs/CVE-2018-14618.html).) We are not aware of any exploit of this flaw. INFO ---- The affected function can only be invoked when using POP3(S), IMAP(S) or SMTP(S). This bug was introduced in [commit c56f9797e7feb7c2dc](https://github.com/curl/curl/commit/c56f9797e7feb7c2dc), August 2013. The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2018-16839 to this issue. CWE-131: Incorrect Calculation of Buffer Size Severity: 3.2 (Low) AFFECTED VERSIONS ----------------- This issue is only present on 32 bit systems. It also requires the username field to use more than 2GB of memory, which should be rare. - Affected versions: libcurl 7.33.0 to and including 7.61.1 - Not affected versions: libcurl < 7.33.0 and >= 7.62.0 curl is used by many applications, but not always advertised as such. THE SOLUTION ------------ In libcurl version 7.62.0, the integer overflow is avoided. An error will be returned if a too long user name is attempted. A [patch for CVE-2018-16839](https://github.com/curl/curl/commit/f3a24d7916b9173c69a3e0ee790102993833d6c5) is available. RECOMMENDATIONS --------------- We suggest you take one of the following actions immediately, in order of preference: A - Upgrade curl to version 7.62.0 B - Apply the patch to your version and rebuild C - Put length restrictions on the username field you can pass to libcurl TIME LINE --------- It was reported to the curl project on September 6, 2018. We contacted distros@...nwall on October 22. curl 7.62.0 was released on October 31 2018, coordinated with the publication of this advisory. CREDITS ------- Reported by Harry Sintonen. Patch by Daniel Stenberg. Thanks a lot!
Submitted to Factory: https://build.opensuse.org/request/show/645709
SUSE-SU-2018:3608-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1112758,1113660 CVE References: CVE-2018-16840,CVE-2018-16842 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP3 (src): curl-7.37.0-37.31.1 SUSE Linux Enterprise Server 12-SP3 (src): curl-7.37.0-37.31.1 SUSE Linux Enterprise Desktop 12-SP3 (src): curl-7.37.0-37.31.1 SUSE CaaS Platform ALL (src): curl-7.37.0-37.31.1 SUSE CaaS Platform 3.0 (src): curl-7.37.0-37.31.1 OpenStack Cloud Magnum Orchestration 7 (src): curl-7.37.0-37.31.1
SUSE-SU-2018:3624-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 1112758,1113660 CVE References: CVE-2018-16839,CVE-2018-16840,CVE-2018-16842 Sources used: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src): curl-mini-7.60.0-3.14.2 SUSE Linux Enterprise Module for Basesystem 15 (src): curl-7.60.0-3.14.3
SUSE-SU-2018:3681-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1112758,1113660 CVE References: CVE-2018-16840,CVE-2018-16842 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): curl-7.37.0-70.38.1 SUSE Linux Enterprise Server 11-SP4 (src): curl-7.37.0-70.38.1 SUSE Linux Enterprise Server 11-SECURITY (src): curl-openssl1-7.37.0-70.38.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): curl-7.37.0-70.38.1
released
openSUSE-SU-2018:3699-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1112758,1113660 CVE References: CVE-2018-16840,CVE-2018-16842 Sources used: openSUSE Leap 42.3 (src): curl-7.37.0-42.1
openSUSE-SU-2018:3706-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 1112758,1113660 CVE References: CVE-2018-16839,CVE-2018-16840,CVE-2018-16842 Sources used: openSUSE Leap 15.0 (src): curl-7.60.0-lp150.2.15.1, curl-mini-7.60.0-lp150.2.15.1
SUSE-SU-2019:0339-1: An update that fixes 6 vulnerabilities is now available. Category: security (important) Bug References: 1112758,1113029,1113660,1123371,1123377,1123378 CVE References: CVE-2018-16839,CVE-2018-16840,CVE-2018-16842,CVE-2018-16890,CVE-2019-3822,CVE-2019-3823 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP4 (src): curl-7.60.0-4.3.1 SUSE Linux Enterprise Server 12-SP4 (src): curl-7.60.0-4.3.1 SUSE Linux Enterprise Desktop 12-SP4 (src): curl-7.60.0-4.3.1
SUSE-SU-2019:0996-1: An update that solves one vulnerability and has one errata is now available. Category: security (important) Bug References: 1112758,1131886 CVE References: CVE-2018-16839 Sources used: SUSE OpenStack Cloud 7 (src): curl-7.37.0-37.37.1 SUSE Linux Enterprise Software Development Kit 12-SP3 (src): curl-7.37.0-37.37.1 SUSE Linux Enterprise Server for SAP 12-SP2 (src): curl-7.37.0-37.37.1 SUSE Linux Enterprise Server for SAP 12-SP1 (src): curl-7.37.0-37.37.1 SUSE Linux Enterprise Server 12-SP3 (src): curl-7.37.0-37.37.1 SUSE Linux Enterprise Server 12-SP2-LTSS (src): curl-7.37.0-37.37.1 SUSE Linux Enterprise Server 12-SP2-BCL (src): curl-7.37.0-37.37.1 SUSE Linux Enterprise Server 12-SP1-LTSS (src): curl-7.37.0-37.37.1 SUSE Linux Enterprise Server 12-LTSS (src): curl-7.37.0-37.37.1 SUSE Linux Enterprise Desktop 12-SP3 (src): curl-7.37.0-37.37.1 SUSE Enterprise Storage 4 (src): curl-7.37.0-37.37.1 SUSE CaaS Platform ALL (src): curl-7.37.0-37.37.1 SUSE CaaS Platform 3.0 (src): curl-7.37.0-37.37.1 OpenStack Cloud Magnum Orchestration 7 (src): curl-7.37.0-37.37.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.