During such kerberos FTP data transfer, the server sends data to curl in blocks with the 32 bit size of each block first and then that amount of data immediately following. A malicious or just broken server can claim to send a very large block and if by doing that it makes curl's subsequent call to `realloc()` to fail, curl would then misbehave in the exit path and double-free the memory.
Acknowledgments: Name: the Curl project Upstream: Thomas Vegas
What is the impact and cvss score for this issue? https://access.redhat.com/security/cve/CVE-2019-5481 gives me 404.
Upstream patch: https://github.com/curl/curl/commit/9069838b30fb3b48af0123e39f664cea683254a5 This flaw was introduced in November 2016 via the following commit: https://github.com/curl/curl/commit/0649433da53c7165f839e2 Only libcurl >= 7.52.0 to and including 7.65.3 are affected by this flaw.
External References: https://curl.haxx.se/docs/CVE-2019-5481.html
Created curl tracking bugs for this issue: Affects: fedora-all [bug 1751921] Created mingw-curl tracking bugs for this issue: Affects: epel-7 [bug 1751923] Affects: fedora-all [bug 1751922]
Basically a curl crash which can be triggered by a malicious MITM server. Crash is caused by a double-free. Also as per upstream advisory "Kerberos FTP is a rarely used protocol with curl. Also, Kerberos authentication is usually only attempted and used with servers that the client has a previous association with." This makes exploitation difficult.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:1792 https://access.redhat.com/errata/RHSA-2020:1792
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-5481