Bug 1749402 (CVE-2019-5481) - CVE-2019-5481 curl: double free due to subsequent call of realloc()
Summary: CVE-2019-5481 curl: double free due to subsequent call of realloc()
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-5481
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1751921 1751922 1751923 1751924 1751925
Blocks: 1749416
TreeView+ depends on / blocked
 
Reported: 2019-09-05 14:25 UTC by Dhananjay Arunesh
Modified: 2021-02-16 21:24 UTC (History)
29 users (show)

Fixed In Version: curl 7.66
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-04-28 16:34:07 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:1792 0 None None None 2020-04-28 15:53:12 UTC

Description Dhananjay Arunesh 2019-09-05 14:25:13 UTC
During such kerberos FTP data transfer, the server sends data to curl in blocks with the 32 bit size of each block first and then that amount of data immediately following. A malicious or just broken server can claim to send a very large block and if by doing that it makes curl's subsequent call to `realloc()` to fail, curl would then misbehave in the exit path and double-free the memory.

Comment 5 Dhananjay Arunesh 2019-09-09 03:59:41 UTC
Acknowledgments:

Name: the Curl project
Upstream: Thomas Vegas

Comment 6 Kamil Dudka 2019-09-12 13:28:01 UTC
What is the impact and cvss score for this issue?

https://access.redhat.com/security/cve/CVE-2019-5481 gives me 404.

Comment 7 Huzaifa S. Sidhpurwala 2019-09-13 06:22:51 UTC
Upstream patch: https://github.com/curl/curl/commit/9069838b30fb3b48af0123e39f664cea683254a5

This flaw was introduced in November 2016 via the following commit:
https://github.com/curl/curl/commit/0649433da53c7165f839e2

Only libcurl >= 7.52.0 to and including 7.65.3 are affected by this flaw.

Comment 8 Huzaifa S. Sidhpurwala 2019-09-13 06:22:55 UTC
External References:

https://curl.haxx.se/docs/CVE-2019-5481.html

Comment 9 Huzaifa S. Sidhpurwala 2019-09-13 06:23:18 UTC
Created curl tracking bugs for this issue:

Affects: fedora-all [bug 1751921]


Created mingw-curl tracking bugs for this issue:

Affects: epel-7 [bug 1751923]
Affects: fedora-all [bug 1751922]

Comment 11 Huzaifa S. Sidhpurwala 2019-09-13 06:29:37 UTC
Basically a curl crash which can be triggered by a malicious MITM server. Crash is caused by a double-free. Also as per upstream advisory "Kerberos FTP is a rarely used protocol with curl. Also, Kerberos authentication is usually only attempted and used with servers that the client has a previous association with." This makes exploitation difficult.

Comment 15 errata-xmlrpc 2020-04-28 15:53:10 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:1792 https://access.redhat.com/errata/RHSA-2020:1792

Comment 16 Product Security DevOps Team 2020-04-28 16:34:07 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-5481


Note You need to log in before you can comment on or make changes to this bug.