libcurl contains two integer overflows in the `curl_url_set()` function that if triggered, can lead to a too small buffer allocation and a subsequent heap buffer overflow. Upstream patch: https://github.com/curl/curl/commit/5fc28510a4664f4 References: https://curl.haxx.se/docs/CVE-2019-5435.html
This flaw only manifests itself on 32bit arches. There are two entry points to this issue, on 32 bit architectures. By asking libcurl to parse a string, passing in a string longer than 2GB to this API: `curl_url_set(uh, CURLUPART_URL, "string", 0);` triggers the bug. Asking libcurl to update a URL with a new string, and URL encoded it in the process, by passing in a string longer than 1.33GB to this API: `curl_url_set(uh, CURLUPART_*, "string", CURLU_URLENCODE);` triggers the bug. This bug was introduced in August 2018 in [commit fb30ac5a2d](https://github.com/curl/curl/commit/fb30ac5a2d63773c52).
Acknowledgments: Name: the Curl project Upstream: Wenchao Li
Created curl tracking bugs for this issue: Affects: fedora-all [bug 1712839]
This issue has been addressed in the following products: Red Hat JBoss Core Services Via RHSA-2020:4383 https://access.redhat.com/errata/RHSA-2020:4383
This issue has been addressed in the following products: JBoss Core Services on RHEL 7 JBoss Core Services on RHEL 6 Via RHSA-2020:4384 https://access.redhat.com/errata/RHSA-2020:4384