Browse code
curl: Fix for CVE-2018-16890 and CVE-2019-38{22,23}
CVE-2019-3822
-------------
The check in lib/vauth/ntlm.c:Curl_auth_create_ntlm_type3_message(),
the function creating an outgoing NTLM type-3 header, generates the
request HTTP header contents based on previously received data. To
prevent the local buffer from getting overflowed is implemented
wrongly (using unsigned math) and as such it does not prevent the
overflow from happening.
CVE-2019-3823
-------------
curl is vulnerable for out of band reads in end of SMTP responses,
if the buffer passed to smtp_endofresp() is not NULL terminated and
contains no character ending the parsed number, and len is set to 5,
then the strtol() call reads beyond the allocated buffer.
The read contents will not be returned to the caller.
CVE-2018-16890
--------------
An Out-of-bounds read flaw was found in the way curl handled NTLMv2
type-2 headers. When connecting to a remote malicious server which
uses NTLM authentication, it could cause curl to crash.
Change-Id: Ia9b382b79e8d31e0caeb0e13da3791610242f883
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/6756
Reviewed-by: Anish Swaminathan <anishs@vmware.com>
Tested-by: Anish Swaminathan <anishs@vmware.com>
dweepadvani authored on 2019/02/16 09:20:32Showing 4 changed files
- SPECS/curl/curl-CVE-2018-16890.patch
- SPECS/curl/curl-CVE-2019-3822.patch
- SPECS/curl/curl-CVE-2019-3823.patch
- SPECS/curl/curl.spec
| 1 | 1 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,39 @@ |
| 0 |
+From b780b30d1377adb10bbe774835f49e9b237fb9bb Mon Sep 17 00:00:00 2001 |
|
| 1 |
+From: Daniel Stenberg <daniel@haxx.se> |
|
| 2 |
+Date: Wed, 2 Jan 2019 20:33:08 +0100 |
|
| 3 |
+Subject: [PATCH] NTLM: fix size check condition for type2 received data |
|
| 4 |
+ |
|
| 5 |
+Bug: https://curl.haxx.se/docs/CVE-2018-16890.html |
|
| 6 |
+Reported-by: Wenxiang Qian |
|
| 7 |
+CVE-2018-16890 |
|
| 8 |
+--- |
|
| 9 |
+ lib/vauth/ntlm.c | 7 ++++--- |
|
| 10 |
+ 1 file changed, 4 insertions(+), 3 deletions(-) |
|
| 11 |
+ |
|
| 12 |
+diff --git a/lib/vauth/ntlm.c b/lib/vauth/ntlm.c |
|
| 13 |
+index c3d55ed251..0ad4d972e3 100644 |
|
| 14 |
+--- a/lib/vauth/ntlm.c |
|
| 15 |
+@@ -5,7 +5,7 @@ |
|
| 16 |
+ * | (__| |_| | _ <| |___ |
|
| 17 |
+ * \___|\___/|_| \_\_____| |
|
| 18 |
+ * |
|
| 19 |
+- * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al. |
|
| 20 |
++ * Copyright (C) 1998 - 2019, Daniel Stenberg, <daniel@haxx.se>, et al. |
|
| 21 |
+ * |
|
| 22 |
+ * This software is licensed as described in the file COPYING, which |
|
| 23 |
+ * you should have received as part of this distribution. The terms |
|
| 24 |
+@@ -182,10 +182,11 @@ static CURLcode ntlm_decode_type2_target(struct Curl_easy *data, |
|
| 25 |
+ target_info_len = Curl_read16_le(&buffer[40]); |
|
| 26 |
+ target_info_offset = Curl_read32_le(&buffer[44]); |
|
| 27 |
+ if(target_info_len > 0) {
|
|
| 28 |
+- if(((target_info_offset + target_info_len) > size) || |
|
| 29 |
++ if((target_info_offset >= size) || |
|
| 30 |
++ ((target_info_offset + target_info_len) > size) || |
|
| 31 |
+ (target_info_offset < 48)) {
|
|
| 32 |
+ infof(data, "NTLM handshake failure (bad type-2 message). " |
|
| 33 |
+- "Target Info Offset Len is set incorrect by the peer\n"); |
|
| 34 |
++ "Target Info Offset Len is set incorrect by the peer\n"); |
|
| 35 |
+ return CURLE_BAD_CONTENT_ENCODING; |
|
| 36 |
+ } |
|
| 37 |
+ |
| 0 | 38 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,35 @@ |
| 0 |
+From 50c9484278c63b958655a717844f0721263939cc Mon Sep 17 00:00:00 2001 |
|
| 1 |
+From: Daniel Stenberg <daniel@haxx.se> |
|
| 2 |
+Date: Thu, 3 Jan 2019 12:59:28 +0100 |
|
| 3 |
+Subject: [PATCH] ntlm: fix *_type3_message size check to avoid buffer overflow |
|
| 4 |
+ |
|
| 5 |
+Bug: https://curl.haxx.se/docs/CVE-2019-3822.html |
|
| 6 |
+Reported-by: Wenxiang Qian |
|
| 7 |
+CVE-2019-3822 |
|
| 8 |
+--- |
|
| 9 |
+ lib/vauth/ntlm.c | 11 +++++++---- |
|
| 10 |
+ 1 file changed, 7 insertions(+), 4 deletions(-) |
|
| 11 |
+ |
|
| 12 |
+diff --git a/lib/vauth/ntlm.c b/lib/vauth/ntlm.c |
|
| 13 |
+index 0ad4d972e3..6a8fc5ab3d 100644 |
|
| 14 |
+--- a/lib/vauth/ntlm.c |
|
| 15 |
+@@ -779,11 +779,14 @@ CURLcode Curl_auth_create_ntlm_type3_message(struct Curl_easy *data, |
|
| 16 |
+ }); |
|
| 17 |
+ |
|
| 18 |
+ #ifdef USE_NTRESPONSES |
|
| 19 |
+- if(size < (NTLM_BUFSIZE - ntresplen)) {
|
|
| 20 |
+- DEBUGASSERT(size == (size_t)ntrespoff); |
|
| 21 |
+- memcpy(&ntlmbuf[size], ptr_ntresp, ntresplen); |
|
| 22 |
+- size += ntresplen; |
|
| 23 |
++ /* ntresplen + size should not be risking an integer overflow here */ |
|
| 24 |
++ if(ntresplen + size > sizeof(ntlmbuf)) {
|
|
| 25 |
++ failf(data, "incoming NTLM message too big"); |
|
| 26 |
++ return CURLE_OUT_OF_MEMORY; |
|
| 27 |
+ } |
|
| 28 |
++ DEBUGASSERT(size == (size_t)ntrespoff); |
|
| 29 |
++ memcpy(&ntlmbuf[size], ptr_ntresp, ntresplen); |
|
| 30 |
++ size += ntresplen; |
|
| 31 |
+ |
|
| 32 |
+ DEBUG_OUT({
|
|
| 33 |
+ fprintf(stderr, "\n ntresp="); |
| 0 | 34 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,44 @@ |
| 0 |
+From 39df4073e5413fcdbb5a38da0c1ce6f1c0ceb484 Mon Sep 17 00:00:00 2001 |
|
| 1 |
+From: Daniel Gustafsson <daniel@yesql.se> |
|
| 2 |
+Date: Sat, 19 Jan 2019 00:42:47 +0100 |
|
| 3 |
+Subject: [PATCH] smtp: avoid risk of buffer overflow in strtol |
|
| 4 |
+ |
|
| 5 |
+If the incoming len 5, but the buffer does not have a termination |
|
| 6 |
+after 5 bytes, the strtol() call may keep reading through the line |
|
| 7 |
+buffer until is exceeds its boundary. Fix by ensuring that we are |
|
| 8 |
+using a bounded read with a temporary buffer on the stack. |
|
| 9 |
+ |
|
| 10 |
+Bug: https://curl.haxx.se/docs/CVE-2019-3823.html |
|
| 11 |
+Reported-by: Brian Carpenter (Geeknik Labs) |
|
| 12 |
+CVE-2019-3823 |
|
| 13 |
+--- |
|
| 14 |
+ lib/smtp.c | 8 ++++++-- |
|
| 15 |
+ 1 file changed, 6 insertions(+), 2 deletions(-) |
|
| 16 |
+ |
|
| 17 |
+diff --git a/lib/smtp.c b/lib/smtp.c |
|
| 18 |
+index 84fc68e418..d55647b12e 100644 |
|
| 19 |
+--- a/lib/smtp.c |
|
| 20 |
+@@ -5,7 +5,7 @@ |
|
| 21 |
+ * | (__| |_| | _ <| |___ |
|
| 22 |
+ * \___|\___/|_| \_\_____| |
|
| 23 |
+ * |
|
| 24 |
+- * Copyright (C) 1998 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al. |
|
| 25 |
++ * Copyright (C) 1998 - 2019, Daniel Stenberg, <daniel@haxx.se>, et al. |
|
| 26 |
+ * |
|
| 27 |
+ * This software is licensed as described in the file COPYING, which |
|
| 28 |
+ * you should have received as part of this distribution. The terms |
|
| 29 |
+@@ -207,8 +207,12 @@ static bool smtp_endofresp(struct connectdata *conn, char *line, size_t len, |
|
| 30 |
+ Section 4. Examples of RFC-4954 but some e-mail servers ignore this and |
|
| 31 |
+ only send the response code instead as per Section 4.2. */ |
|
| 32 |
+ if(line[3] == ' ' || len == 5) {
|
|
| 33 |
++ char tmpline[6]; |
|
| 34 |
++ |
|
| 35 |
+ result = TRUE; |
|
| 36 |
+- *resp = curlx_sltosi(strtol(line, NULL, 10)); |
|
| 37 |
++ memset(tmpline, '\0', sizeof(tmpline)); |
|
| 38 |
++ memcpy(tmpline, line, (len == 5 ? 5 : 3)); |
|
| 39 |
++ *resp = curlx_sltosi(strtol(tmpline, NULL, 10)); |
|
| 40 |
+ |
|
| 41 |
+ /* Make sure real server never sends internal value */ |
|
| 42 |
+ if(*resp == 1) |
| ... | ... |
@@ -1,7 +1,7 @@ |
| 1 | 1 |
Summary: An URL retrieval utility and library |
| 2 | 2 |
Name: curl |
| 3 | 3 |
Version: 7.61.1 |
| 4 |
-Release: 2%{?dist}
|
|
| 4 |
+Release: 3%{?dist}
|
|
| 5 | 5 |
License: MIT |
| 6 | 6 |
URL: http://curl.haxx.se |
| 7 | 7 |
Group: System Environment/NetworkingLibraries |
| ... | ... |
@@ -12,6 +12,9 @@ Source0: http://curl.haxx.se/download/%{name}-%{version}.tar.gz
|
| 12 | 12 |
Patch0: CVE-2018-16839.patch |
| 13 | 13 |
Patch1: CVE-2018-16840.patch |
| 14 | 14 |
Patch2: CVE-2018-16842.patch |
| 15 |
+Patch3: curl-CVE-2018-16890.patch |
|
| 16 |
+Patch4: curl-CVE-2019-3822.patch |
|
| 17 |
+Patch5: curl-CVE-2019-3823.patch |
|
| 15 | 18 |
BuildRequires: ca-certificates |
| 16 | 19 |
BuildRequires: openssl-devel |
| 17 | 20 |
BuildRequires: krb5-devel |
| ... | ... |
@@ -47,6 +50,9 @@ This package contains minimal set of shared curl libraries. |
| 47 | 47 |
%patch0 -p1 |
| 48 | 48 |
%patch1 -p1 |
| 49 | 49 |
%patch2 -p1 |
| 50 |
+%patch3 -p1 |
|
| 51 |
+%patch4 -p1 |
|
| 52 |
+%patch5 -p1 |
|
| 50 | 53 |
|
| 51 | 54 |
%build |
| 52 | 55 |
%configure \ |
| ... | ... |
@@ -95,6 +101,8 @@ rm -rf %{buildroot}/*
|
| 95 | 95 |
%{_libdir}/libcurl.so.*
|
| 96 | 96 |
|
| 97 | 97 |
%changelog |
| 98 |
+* Tue Feb 19 2019 Dweep Advani <dadvani@vmware.com> 7.61.1-3 |
|
| 99 |
+- Fixed CVE-2018-16890, CVE-2019-3822 and CVE-2019-3823 |
|
| 98 | 100 |
* Tue Jan 08 2019 Dweep Advani <dadvani@vmware.com> 7.61.1-2 |
| 99 | 101 |
- Fix of CVE-2018-16839, CVE-2018-16840 and CVE-2018-16842 |
| 100 | 102 |
* Mon Sep 10 2018 Ajay Kaher <akaher@vmware.com> 7.61.1-1 |