1670256 – (CVE-2019-3823) CVE-2019-3823 curl: SMTP end-of-response out-of-bounds read

Bug 1670256 (CVE-2019-3823) - CVE-2019-3823 curl: SMTP end-of-response out-of-bounds read

Summary: CVE-2019-3823 curl: SMTP end-of-response out-of-bounds read

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2019-3823
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1672906 1674362 1674363
Blocks:	1670258
TreeView+	depends on / blocked

Reported:	2019-01-29 04:29 UTC by Sam Fowler
Modified:	2021-02-16 22:28 UTC (History)
CC List:	29 users (show)
Fixed In Version:	curl 7.64.0
Doc Type:	If docs needed, set a value
Doc Text:	An out-of-bounds read flaw was found in the way curl handled certain SMTP responses. A remote attacker could use this flaw to crash curl.
Clone Of:
Environment:
Last Closed:	2019-11-06 00:52:03 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2019:3701	0	None	None	None	2019-11-05 22:06:11 UTC

Description Sam Fowler 2019-01-29 04:29:19 UTC

libcurl versions from 7.34.0 to before 7.64.0 are vulnerable to a heap out-of-bounds read in the code handling the end-of-response for SMTP.

If the buffer passed to `smtp_endofresp()` isn't NUL terminated and contains no character ending the parsed number, and `len` is set to 5, then the `strtol()` call reads beyond the allocated buffer. The read contents will not be returned to the caller.


Bug introduced by:

https://github.com/curl/curl/commit/2766262a68

Comment 1 Sam Fowler 2019-01-29 04:29:20 UTC

Acknowledgments:

Name: Daniel Stenberg (the Curl project)
Upstream: Brian Carpenter (Geeknik Labs)

Comment 2 Sam Fowler 2019-02-06 07:50:34 UTC

External Reference:

https://curl.haxx.se/docs/CVE-2019-3823.html


Upstream Patch:

https://github.com/curl/curl/commit/39df4073

Comment 3 Sam Fowler 2019-02-06 07:50:47 UTC

Created curl tracking bugs for this issue:

Affects: fedora-all [bug 1672906]

Comment 4 Huzaifa S. Sidhpurwala 2019-02-11 06:37:16 UTC

Mitigation:

Do not use SMTP authentication with curl

Comment 9 errata-xmlrpc 2019-11-05 22:06:10 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:3701 https://access.redhat.com/errata/RHSA-2019:3701

Comment 10 Product Security DevOps Team 2019-11-06 00:52:03 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-3823

Note You need to log in before you can comment on or make changes to this bug.

abhgupta
andrew.slice
bodavis
csutherl
dbaker
dbhole
gzaronik
hhorak
jclere
john.j5live
jokerman
jorton
kanderso
kdudka
lgao
luhliari
mbabacek
msekleta
mturk
myarboro
omajid
paul
psampaio
rwagner
security-response-team
sthangav
trankin
twalsh
weli