Bugzilla will be upgraded to version 5.0 on December 2, 2018. The outage period for the upgrade will start at 0:00 UTC and have a duration of 12 hours
Bug 1642201 - (CVE-2018-16839) CVE-2018-16839 curl: Integer overflow leading to heap-based buffer overflow in Curl_sasl_create_plain_message()
CVE-2018-16839 curl: Integer overflow leading to heap-based buffer overflow i...
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20181031,reported=2...
: Security
Depends On: 1644553 1644554 1644552
Blocks: 1642204
  Show dependency treegraph
 
Reported: 2018-10-23 21:44 EDT by Sam Fowler
Modified: 2018-11-18 18:28 EST (History)
29 users (show)

See Also:
Fixed In Version: curl 7.62.0
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Sam Fowler 2018-10-23 21:44:16 EDT
Curl versions 7.33.0 to 7.61.1 are vulnerable to a buffer overrun in the SASL authentication code.

The internal function `Curl_auth_create_plain_message` fails to correctly
verify that the passed in lengths for name and password aren't too long, then
calculates a buffer size to allocate.

On systems with a 32 bit `size_t`, the math to calculate the buffer size
triggers an integer overflow when the user name length exceeds 2GB (2^31
bytes). This integer overflow usually causes a very small buffer to actually
get allocated instead of the intended very huge one, making the use of that
buffer end up in a heap buffer overflow.
Comment 1 Sam Fowler 2018-10-23 21:44:33 EDT
Acknowledgments:

Name: the Curl project
Upstream: Harry Sintonen
Comment 3 Sam Fowler 2018-10-31 03:00:53 EDT
Created curl tracking bugs for this issue:

Affects: fedora-all [bug 1644552]


Created mingw-curl tracking bugs for this issue:

Affects: epel-7 [bug 1644553]
Comment 5 Tomas Hoger 2018-11-15 16:23:48 EST
As noted above, this problem was introduced in Curl version 7.33.0 via the following commit:

https://github.com/curl/curl/commit/c56f9797e7feb7c2dc

Prior to that commit, the username and password lengths were limited to  MAX_CURL_USER_LENGTH or MAX_CURL_PASSWORD_LENGTH, i.e. to 256 characters.

This did not affect curl packages in Red Hat Enterprise Linux 7 and earlier, which are based on upstream Curl versions prior to 7.33.0.

Note You need to log in before you can comment on or make changes to this bug.