Bug 1749402 (CVE-2019-5481)

Summary: CVE-2019-5481 curl: double free due to subsequent call of realloc()
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: andrew.slice, bodavis, cperry, csutherl, csvoboda, dbhole, erik-fedora, gzaronik, hhorak, jclere, john.j5live, jorton, kanderso, kdudka, lgao, luhliari, mbabacek, mike, msekleta, mthacker, mturk, myarboro, omajid, paul, rwagner, security-response-team, tbrunell, twalsh, weli
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: curl 7.66 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-28 16:34:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1751921, 1751922, 1751923, 1751924, 1751925    
Bug Blocks: 1749416    

Description Dhananjay Arunesh 2019-09-05 14:25:13 UTC 
During such kerberos FTP data transfer, the server sends data to curl in blocks with the 32 bit size of each block first and then that amount of data immediately following. A malicious or just broken server can claim to send a very large block and if by doing that it makes curl's subsequent call to `realloc()` to fail, curl would then misbehave in the exit path and double-free the memory.
Comment 5 Dhananjay Arunesh 2019-09-09 03:59:41 UTC 
Acknowledgments:

Name: the Curl project
Upstream: Thomas Vegas
Comment 6 Kamil Dudka 2019-09-12 13:28:01 UTC 
What is the impact and cvss score for this issue?

https://access.redhat.com/security/cve/CVE-2019-5481 gives me 404.
Comment 7 Huzaifa S. Sidhpurwala 2019-09-13 06:22:51 UTC 
Upstream patch: https://github.com/curl/curl/commit/9069838b30fb3b48af0123e39f664cea683254a5

This flaw was introduced in November 2016 via the following commit:
https://github.com/curl/curl/commit/0649433da53c7165f839e2

Only libcurl >= 7.52.0 to and including 7.65.3 are affected by this flaw.
Comment 8 Huzaifa S. Sidhpurwala 2019-09-13 06:22:55 UTC 
External References:

https://curl.haxx.se/docs/CVE-2019-5481.html
Comment 9 Huzaifa S. Sidhpurwala 2019-09-13 06:23:18 UTC 
Created curl tracking bugs for this issue:

Affects: fedora-all [bug 1751921]


Created mingw-curl tracking bugs for this issue:

Affects: epel-7 [bug 1751923]
Affects: fedora-all [bug 1751922]
Comment 11 Huzaifa S. Sidhpurwala 2019-09-13 06:29:37 UTC 
Basically a curl crash which can be triggered by a malicious MITM server. Crash is caused by a double-free. Also as per upstream advisory "Kerberos FTP is a rarely used protocol with curl. Also, Kerberos authentication is usually only attempted and used with servers that the client has a previous association with." This makes exploitation difficult.
Comment 15 errata-xmlrpc 2020-04-28 15:53:10 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:1792 https://access.redhat.com/errata/RHSA-2020:1792
Comment 16 Product Security DevOps Team 2020-04-28 16:34:07 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-5481