curl: Fix for CVE-2019-3822 and CVE-2019-3823
CVE-2019-3822
-------------
The check in lib/vauth/ntlm.c:Curl_auth_create_ntlm_type3_message(),
the function creating an outgoing NTLM type-3 header, generates the
request HTTP header contents based on previously received data. To
prevent the local buffer from getting overflowed is implemented
wrongly (using unsigned math) and as such it does not prevent the
overflow from happening.
CVE-2019-3823
-------------
curl is vulnerable for out of band reads in end of SMTP responses,
if the buffer passed to smtp_endofresp() is not NULL terminated and
contains no character ending the parsed number, and len is set to 5,
then the strtol() call reads beyond the allocated buffer.
The read contents will not be returned to the caller.
Change-Id: Idc44b05a019a3509f152ac4aa81ae79631b065b0
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/6758
Reviewed-by: Anish Swaminathan <anishs@vmware.com>
Tested-by: Anish Swaminathan <anishs@vmware.com>
dweepadvani authored on 2019/02/15 03:10:10Showing 2 changed files
| 1 | 1 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,35 @@ |
| 0 |
+From 50c9484278c63b958655a717844f0721263939cc Mon Sep 17 00:00:00 2001 |
|
| 1 |
+From: Daniel Stenberg <daniel@haxx.se> |
|
| 2 |
+Date: Thu, 3 Jan 2019 12:59:28 +0100 |
|
| 3 |
+Subject: [PATCH] ntlm: fix *_type3_message size check to avoid buffer overflow |
|
| 4 |
+ |
|
| 5 |
+Bug: https://curl.haxx.se/docs/CVE-2019-3822.html |
|
| 6 |
+Reported-by: Wenxiang Qian |
|
| 7 |
+CVE-2019-3822 |
|
| 8 |
+--- |
|
| 9 |
+ lib/vauth/ntlm.c | 11 +++++++---- |
|
| 10 |
+ 1 file changed, 7 insertions(+), 4 deletions(-) |
|
| 11 |
+ |
|
| 12 |
+diff --git a/lib/vauth/ntlm.c b/lib/vauth/ntlm.c |
|
| 13 |
+index 0ad4d972e3..6a8fc5ab3d 100644 |
|
| 14 |
+--- a/lib/vauth/ntlm.c |
|
| 15 |
+@@ -779,11 +779,14 @@ CURLcode Curl_auth_create_ntlm_type3_message(struct Curl_easy *data, |
|
| 16 |
+ }); |
|
| 17 |
+ |
|
| 18 |
+ #ifdef USE_NTRESPONSES |
|
| 19 |
+- if(size < (NTLM_BUFSIZE - ntresplen)) {
|
|
| 20 |
+- DEBUGASSERT(size == (size_t)ntrespoff); |
|
| 21 |
+- memcpy(&ntlmbuf[size], ptr_ntresp, ntresplen); |
|
| 22 |
+- size += ntresplen; |
|
| 23 |
++ /* ntresplen + size should not be risking an integer overflow here */ |
|
| 24 |
++ if(ntresplen + size > sizeof(ntlmbuf)) {
|
|
| 25 |
++ failf(data, "incoming NTLM message too big"); |
|
| 26 |
++ return CURLE_OUT_OF_MEMORY; |
|
| 27 |
+ } |
|
| 28 |
++ DEBUGASSERT(size == (size_t)ntrespoff); |
|
| 29 |
++ memcpy(&ntlmbuf[size], ptr_ntresp, ntresplen); |
|
| 30 |
++ size += ntresplen; |
|
| 31 |
+ |
|
| 32 |
+ DEBUG_OUT({
|
|
| 33 |
+ fprintf(stderr, "\n ntresp="); |
| ... | ... |
@@ -16,7 +16,8 @@ Patch3: curl-CVE-2018-16839.patch |
| 16 | 16 |
Patch4: curl-CVE-2018-16840.patch |
| 17 | 17 |
Patch5: curl-CVE-2018-16842.patch |
| 18 | 18 |
Patch6: curl-CVE-2018-14618.patch |
| 19 |
-Patch7: curl-CVE-2019-3823.patch |
|
| 19 |
+Patch7: curl-CVE-2019-3822.patch |
|
| 20 |
+Patch8: curl-CVE-2019-3823.patch |
|
| 20 | 21 |
Requires: ca-certificates |
| 21 | 22 |
BuildRequires: ca-certificates |
| 22 | 23 |
Requires: openssl |
| ... | ... |
@@ -43,6 +44,7 @@ sed -i '/--static-libs)/{N;s#echo .*#echo #;}' curl-config.in
|
| 43 | 43 |
%patch5 -p1 |
| 44 | 44 |
%patch6 -p1 |
| 45 | 45 |
%patch7 -p1 |
| 46 |
+%patch8 -p1 |
|
| 46 | 47 |
|
| 47 | 48 |
%build |
| 48 | 49 |
./configure \ |
| ... | ... |
@@ -89,7 +91,7 @@ rm -rf %{buildroot}/*
|
| 89 | 89 |
|
| 90 | 90 |
%changelog |
| 91 | 91 |
* Thu Feb 14 2019 Dweep Advani <dadvani@vmware.com> 7.59.0-6 |
| 92 |
-- Fixed CVE-2019-3823 |
|
| 92 |
+- Fixed CVE-2019-3822 and CVE-2019-3823 |
|
| 93 | 93 |
* Wed Jan 30 2019 Dweep Advani <dadvani@vmware.com> 7.59.0-5 |
| 94 | 94 |
- Fixed CVE-2018-14618 and CVE-2018-16839 |
| 95 | 95 |
* Thu Jan 03 2019 Siju Maliakkal <smaliakkal@vmware.com> 7.59.0-4 |