Red Hat Bugzilla – Bug 1642201
CVE-2018-16839 curl: Integer overflow leading to heap-based buffer overflow in Curl_sasl_create_plain_message()
Last modified: 2018-11-18 18:28:15 EST
Curl versions 7.33.0 to 7.61.1 are vulnerable to a buffer overrun in the SASL authentication code.
The internal function `Curl_auth_create_plain_message` fails to correctly
verify that the passed in lengths for name and password aren't too long, then
calculates a buffer size to allocate.
On systems with a 32 bit `size_t`, the math to calculate the buffer size
triggers an integer overflow when the user name length exceeds 2GB (2^31
bytes). This integer overflow usually causes a very small buffer to actually
get allocated instead of the intended very huge one, making the use of that
buffer end up in a heap buffer overflow.
Name: the Curl project
Upstream: Harry Sintonen
Created curl tracking bugs for this issue:
Affects: fedora-all [bug 1644552]
Created mingw-curl tracking bugs for this issue:
Affects: epel-7 [bug 1644553]
As noted above, this problem was introduced in Curl version 7.33.0 via the following commit:
Prior to that commit, the username and password lengths were limited to MAX_CURL_USER_LENGTH or MAX_CURL_PASSWORD_LENGTH, i.e. to 256 characters.
This did not affect curl packages in Red Hat Enterprise Linux 7 and earlier, which are based on upstream Curl versions prior to 7.33.0.