Libntlm through 1.5 relies on a fixed buffer size for tSmbNtlmAuthRequest, tSmbNtlmAuthChallenge, and tSmbNtlmAuthResponse read and write operations, as demonstrated by a stack-based buffer over-read in buildSmbNtlmAuthRequest in smbutil.c for a crafted NTLM request. Reference: https://gitlab.com/jas/libntlm/issues/2
Created libntlm tracking bugs for this issue: Affects: epel-7 [bug 1768465] Affects: fedora-all [bug 1768464]
Mitigation: The calling application must verify that the input username and domain fit in the 1024 byte buffer.
Statement: The vulnerability is rated Medium because no package in Red Hat Enterprise Linux versions 6 and 7 is using Libntlm. Most 3rd party applications using Libntlm are command line clients and would be affected via a command line option or a configuration file, which are local vectors.
Upstream fix : https://gitlab.com/jas/libntlm/-/commit/b967886873fcf19f816b9c0868465f2d9e5df85e Regression test: https://gitlab.com/jas/libntlm/-/commit/aa975994cf9cf39c33ce33a1b2988277c456dec1