Bug 1670256 (CVE-2019-3823)

Summary: CVE-2019-3823 curl: SMTP end-of-response out-of-bounds read
Product: [Other] Security Response Reporter: Sam Fowler <sfowler>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: abhgupta, andrew.slice, bodavis, csutherl, dbaker, dbhole, gzaronik, hhorak, jclere, john.j5live, jokerman, jorton, kanderso, kdudka, lgao, luhliari, mbabacek, msekleta, mturk, myarboro, omajid, paul, psampaio, rwagner, security-response-team, sthangav, trankin, twalsh, weli
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: curl 7.64.0 Doc Type: If docs needed, set a value
Doc Text:
An out-of-bounds read flaw was found in the way curl handled certain SMTP responses. A remote attacker could use this flaw to crash curl.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-11-06 00:52:03 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1672906, 1674362, 1674363    
Bug Blocks: 1670258    

Description Sam Fowler 2019-01-29 04:29:19 UTC 
libcurl versions from 7.34.0 to before 7.64.0 are vulnerable to a heap out-of-bounds read in the code handling the end-of-response for SMTP.

If the buffer passed to `smtp_endofresp()` isn't NUL terminated and contains no character ending the parsed number, and `len` is set to 5, then the `strtol()` call reads beyond the allocated buffer. The read contents will not be returned to the caller.


Bug introduced by:

https://github.com/curl/curl/commit/2766262a68
Comment 1 Sam Fowler 2019-01-29 04:29:20 UTC 
Acknowledgments:

Name: Daniel Stenberg (the Curl project)
Upstream: Brian Carpenter (Geeknik Labs)
Comment 2 Sam Fowler 2019-02-06 07:50:34 UTC 
External Reference:

https://curl.haxx.se/docs/CVE-2019-3823.html


Upstream Patch:

https://github.com/curl/curl/commit/39df4073
Comment 3 Sam Fowler 2019-02-06 07:50:47 UTC 
Created curl tracking bugs for this issue:

Affects: fedora-all [bug 1672906]
Comment 4 Huzaifa S. Sidhpurwala 2019-02-11 06:37:16 UTC 
Mitigation:

Do not use SMTP authentication with curl
Comment 9 errata-xmlrpc 2019-11-05 22:06:10 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:3701 https://access.redhat.com/errata/RHSA-2019:3701
Comment 10 Product Security DevOps Team 2019-11-06 00:52:03 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-3823