Libntlm through 1.5 relies on a fixed buffer size for tSmbNtlmAuthRequest, tSmbNtlmAuthChallenge, and tSmbNtlmAuthResponse read and write operations, as demonstrated by a stack-based buffer over-read in buildSmbNtlmAuthRequest in smbutil.c for a crafted NTLM request.
Created libntlm tracking bugs for this issue:
Affects: epel-7 [bug 1768465]
Affects: fedora-all [bug 1768464]
The calling application must verify that the input username and domain fit in the 1024 byte buffer.
The vulnerability is rated Medium because no package in Red Hat Enterprise Linux versions 6 and 7 is using Libntlm. Most 3rd party applications using Libntlm are command line clients and would be affected via a command line option or a configuration file, which are local vectors.
Upstream fix :