Opened 5 years ago

Closed 5 years ago

#11640 closed enhancement (fixed)

curl-7.64.0 (CVE-2018-16890 CVE-2019-3822 CVE-2019-3823)

Reported by: Douglas R. Reno Owned by: Douglas R. Reno
Priority: high Milestone: 8.4
Component: BOOK Version: SVN
Severity: normal Keywords:
Cc:

Description

New minor version

cURL Release Notes 

curl and libcurl 7.64.0

 Public curl releases:         179
 Command line options:         220
 curl_easy_setopt() options:   265
 Public functions in libcurl:  80
 Contributors:                 1875

This release includes the following changes:

 o cookies: leave secure cookies alone [3]
 o hostip: support wildcard hosts [23]
 o http: Implement trailing headers for chunked transfers [7]
 o http: added options for allowing HTTP/0.9 responses [10]
 o timeval: Use high resolution timestamps on Windows [19]

This release includes the following bugfixes:

 o CVE-2018-16890: NTLM type-2 out-of-bounds buffer read [67]
 o CVE-2019-3822: NTLMv2 type-3 header stack buffer overflow [68]
 o CVE-2019-3823: SMTP end-of-response out-of-bounds read [66]
 o FAQ: remove mention of sourceforge for github [22]
 o OS400: handle memory error in list conversion [4]
 o OS400: upgrade ILE/RPG binding.
 o README: add codacy code quality badge
 o Revert http_negotiate: do not close connection [31]
 o THANKS: added several missing names from year <= 2000
 o build: make 'tidy' target work for metalink builds
 o cmake: added checks for variadic macros [47]
 o cmake: updated check for HAVE_POLL_FINE to match autotools [39]
 o cmake: use lowercase for function name like the rest of the code [20]
 o configure: detect xlclang separately from clang [41]
 o configure: fix recv/send/select detection on Android [53]
 o configure: rewrite --enable-code-coverage [61]
 o conncache_unlock: avoid indirection by changing input argument type
 o cookie: fix comment typo [44]
 o cookies: allow secure override when done over HTTPS [34]
 o cookies: extend domain checks to non psl builds [12]
 o cookies: skip custom cookies when redirecting cross-site [36]
 o curl --xattr: strip credentials from any URL that is stored [33]
 o curl -J: refuse to append to the destination file [14]
 o curl/urlapi.h: include "curl.h" first [30]
 o curl_multi_remove_handle() don't block terminating c-ares requests [32]
 o darwinssl: accept setting max-tls with default min-tls [6]
 o disconnect: separate connections and easy handles better [18]
 o disconnect: set conn->data for protocol disconnect
 o docs/version.d: mention MultiSSL [26]
 o docs: fix the --tls-max description [2]
 o docs: use $(INSTALL_DATA) to install man page [64]
 o docs: use meaningless port number in CURLOPT_LOCALPORT example [58]
 o gopher: always include the entire gopher-path in request [5]
 o http2: clear pause stream id if it gets closed [8]
 o if2ip: remove unused function Curl_if_is_interface_name [9]
 o libssh: do not let libssh create socket [63]
 o libssh: enable CURLOPT_SSH_KNOWNHOSTS and CURLOPT_SSH_KEYFUNCTION for libssh [62]
 o libssh: free sftp_canonicalize_path() data correctly [17]
 o libtest/stub_gssapi: use "real" snprintf [27]
 o mbedtls: use VERIFYHOST [15]
 o multi: multiplexing improvements [35]
 o multi: set the EXPIRE_*TIMEOUT timers at TIMER_STARTSINGLE time [57]
 o ntlm: fix NTMLv2 compliance [25]
 o ntlm_sspi: add support for channel binding [54]
 o openssl: adapt to 3.0.0, OpenSSL_version_num() is deprecated [46]
 o openssl: fix the SSL_get_tlsext_status_ocsp_resp call [40]
 o openvms: fix OpenSSL discovery on VAX [21]
 o openvms: fix typos in documentation
 o os400: add a missing closing bracket [50]
 o os400: fix extra parameter syntax error [50]
 o pingpong: change default response timeout to 120 seconds
 o pingpong: ignore regular timeout in disconnect phase [16]
 o printf: fix format specifiers [28]
 o runtests.pl: Fix perl call to include srcdir [65]
 o schannel: fix compiler warning [29]
 o schannel: preserve original certificate path parameter [52]
 o schannel: stop calling it "winssl" [56]
 o sigpipe: if mbedTLS is used, ignore SIGPIPE [59]
 o smb: fix incorrect path in request if connection reused [13]
 o ssh: log the libssh2 error message when ssh session startup fails [55]
 o test1558: verify CURLINFO_PROTOCOL on file:// transfer [51]
 o test1561: improve test name
 o test1653: make it survive torture tests
 o tests: allow tests to pass by 2037-02-12 [38]
 o tests: move objnames-* from lib into tests [42]
 o timediff: fix math for unsigned time_t [37]
 o timeval: Disable MSVC Analyzer GetTickCount warning [60]
 o tool_cb_prg: avoid integer overflow [49]
 o travis: added cmake build for osx [43]
 o urlapi: Fix port parsing of eol colon [1]
 o urlapi: distinguish possibly empty query [5]
 o urlapi: fix parsing ipv6 with zone index [24]
 o urldata: rename easy_conn to just conn [48]
 o winbuild: conditionally use /DZLIB_WINAPI [45]
 o wolfssl: fix memory-leak in threaded use [11]
 o spnego_sspi: add support for channel binding [69]

This release includes the following known bugs:

 o see docs/KNOWN_BUGS (https://curl.haxx.se/docs/knownbugs.html)

This release would not have looked like this without help, code, reports and
advice from friends like these:

  Alessandro Ghedini, Andrei Neculau, Archangel SDY, Ayoub Boudhar, Ben Kohler,
  Bernhard M. Wiedemann, Brad Spencer, Brian Carpenter, Claes Jakobsson,
  Daniel Gustafsson, Daniel Stenberg, David Garske, dnivras on github,
  Eric Rosenquist, Etienne Simard, Felix Hädicke, Florian Pritz,
  Frank Gevaerts, Giorgos Oikonomou, Gisle Vanem, GitYuanQu on github,
  Haibo Huang, Harry Sintonen, Helge Klein, Huzaifa Sidhpurwala,
  jasal82 on github, Jeremie Rapin, Jeroen Ooms, Joel Depooter, John Marshall,
  jonrumsey on github, Julian Z, Kamil Dudka, Katsuhiko YOSHIDA, Kees Dekker,
  Ladar Levison, Leonardo Taccari, Marcel Raad, Markus Moeller,
  masbug on github, Matus Uzak, Michael Kujawa, Patrick Monnerat, Pavel Pavlov,
  Peng Li, Ray Satiro, Rikard Falkeborn, Ruslan Baratov, Sergei Nikulov,
  Shlomi Fish, Tobias Lindgren, Tom van der Woerdt, Viktor Szakats,
  Wenxiang Qian, William A. Rowe Jr, Zhao Yisha,
  (56 contributors)

        Thanks! (and sorry if I forgot to mention someone)

References to bug reports and discussions on issues:

 [1] = https://curl.haxx.se/bug/?i=3365
 [2] = https://curl.haxx.se/bug/?i=3368
 [3] = https://curl.haxx.se/bug/?i=2956
 [4] = https://curl.haxx.se/bug/?i=3372
 [5] = https://curl.haxx.se/bug/?i=3369
 [6] = https://curl.haxx.se/bug/?i=3367
 [7] = https://curl.haxx.se/bug/?i=3350
 [8] = https://curl.haxx.se/bug/?i=3392
 [9] = https://curl.haxx.se/bug/?i=3401
 [10] = https://curl.haxx.se/bug/?i=2873
 [11] = https://curl.haxx.se/bug/?i=3395
 [12] = https://curl.haxx.se/bug/?i=2964
 [13] = https://curl.haxx.se/bug/?i=3388
 [14] = https://curl.haxx.se/bug/?i=3380
 [15] = https://curl.haxx.se/bug/?i=3376
 [16] = https://curl.haxx.se/bug/?i=3264
 [17] = https://curl.haxx.se/bug/?i=3402
 [18] = https://curl.haxx.se/bug/?i=3400
 [19] = https://curl.haxx.se/bug/?i=3318
 [20] = https://curl.haxx.se/bug/?i=3196
 [21] = https://curl.haxx.se/bug/?i=3407
 [22] = https://curl.haxx.se/bug/?i=3410
 [23] = https://curl.haxx.se/bug/?i=3406
 [24] = https://curl.haxx.se/bug/?i=3411
 [25] = https://curl.haxx.se/bug/?i=3286
 [26] = https://curl.haxx.se/bug/?i=3432
 [27] = https://curl.haxx.se/mail/lib-2019-01/0000.html
 [28] = https://curl.haxx.se/bug/?i=3426
 [29] = https://curl.haxx.se/bug/?i=3435
 [30] = https://curl.haxx.se/bug/?i=3438
 [31] = https://curl.haxx.se/bug/?i=3384
 [32] = https://curl.haxx.se/bug/?i=3371
 [33] = https://curl.haxx.se/bug/?i=3423
 [34] = https://curl.haxx.se/bug/?i=3445
 [35] = https://curl.haxx.se/bug/?i=3436
 [36] = https://curl.haxx.se/bug/?i=3417
 [37] = https://curl.haxx.se/bug/?i=3449
 [38] = https://curl.haxx.se/bug/?i=3443
 [39] = https://curl.haxx.se/bug/?i=3292
 [40] = https://curl.haxx.se/bug/?i=3477
 [41] = https://curl.haxx.se/bug/?i=3474
 [42] = https://curl.haxx.se/bug/?i=3470
 [43] = https://curl.haxx.se/bug/?i=3468
 [44] = https://curl.haxx.se/bug/?i=3469
 [45] = https://curl.haxx.se/bug/?i=3133
 [46] = https://curl.haxx.se/bug/?i=3462
 [47] = https://curl.haxx.se/bug/?i=3459
 [48] = https://curl.haxx.se/bug/?i=3442
 [49] = https://curl.haxx.se/bug/?i=3456
 [50] = https://curl.haxx.se/bug/?i=3453
 [51] = https://curl.haxx.se/bug/?i=3447
 [52] = https://curl.haxx.se/bug/?i=3480
 [53] = https://curl.haxx.se/bug/?i=3484
 [54] = https://curl.haxx.se/bug/?i=3280
 [55] = https://curl.haxx.se/bug/?i=3481
 [56] = https://curl.haxx.se/bug/?i=3504
 [57] = https://curl.haxx.se/mail/lib-2019-01/0073.html
 [58] = https://curl.haxx.se/bug/?i=3513
 [59] = https://curl.haxx.se/bug/?i=3502
 [60] = https://curl.haxx.se/bug/?i=3437
 [61] = https://curl.haxx.se/bug/?i=3497
 [62] = https://curl.haxx.se/bug/?i=3493
 [63] = https://curl.haxx.se/bug/?i=3491
 [64] = https://curl.haxx.se/bug/?i=3518
 [65] = https://curl.haxx.se/bug/?i=3496
 [66] = https://curl.haxx.se/docs/CVE-2019-3823.html
 [67] = https://curl.haxx.se/docs/CVE-2018-16890.html
 [68] = https://curl.haxx.se/docs/CVE-2019-3822.html
 [69] = https://curl.haxx.se/bug/?i=3503

CVE-2018-16890 

NTLM type-2 out-of-bounds buffer read
=====================================

Project curl Security Advisory, February 6th 2019 -
[Permalink](https://curl.haxx.se/docs/CVE-2018-16890.html)

VULNERABILITY
-------------

libcurl contains a heap buffer out-of-bounds read flaw.

The function handling incoming NTLM type-2 messages
(`lib/vauth/ntlm.c:ntlm_decode_type2_target`) does not validate incoming data
correctly and is subject to an integer overflow vulnerability.

Using that overflow, a malicious or broken NTLM server could trick libcurl to
accept a bad length + offset combination that would lead to a buffer read
out-of-bounds.

We are not aware of any exploit of this flaw.

INFO
----

This bug was introduced in [commit
86724581b6c](https://github.com/curl/curl/commit/86724581b6c), January 2014.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2018-16890 to this issue.

CWE-125: Out-of-bounds Read

Severity: 5.3 (Medium)

AFFECTED VERSIONS
-----------------

- Affected versions: libcurl 7.36.0 to and including 7.63.0
- Not affected versions: libcurl < 7.36.0 and >= 7.64.0

libcurl is used by many applications, but not always advertised as such.

THE SOLUTION
------------

A [patch for CVE-2018-16890](https://github.com/curl/curl/commit/b780b30d1377adb10bbe774835f49e9b237fb9bb)

RECOMMENDATIONS
---------------

We suggest you take one of the following actions immediately, in order of
preference:

 A - Upgrade curl to version 7.64.0

 B - Apply the patch to your version and rebuild

 C - Turn off NTLM authentication

TIME LINE
---------

It was reported to the curl project on December 30, 2018. We contacted
distros@openwall on January 28.

curl 7.64.0 was released on February 6 2019, coordinated with the publication
of this advisory.

CREDITS
-------

Reported by Wenxiang Qian of Tencent Blade Team. Patch by Daniel Stenberg.

Thanks a lot!

CVE-2019-3822 

NTLMv2 type-3 header stack buffer overflow
==========================================

Project curl Security Advisory, February 6th 2019 -
[Permalink](https://curl.haxx.se/docs/CVE-2019-3822.html)

VULNERABILITY
-------------

libcurl contains a stack based buffer overflow vulnerability.

The function creating an outgoing NTLM type-3 header
(`lib/vauth/ntlm.c:Curl_auth_create_ntlm_type3_message()`), generates the
request HTTP header contents based on previously received data. The check that
exists to prevent the local buffer from getting overflowed is implemented
wrongly (using unsigned math) and as such it does not prevent the overflow
from happening.

This output data can grow larger than the local buffer if very large "nt
response" data is extracted from a previous NTLMv2 header provided by the
malicious or broken HTTP server.

Such a "large value" needs to be around 1000 bytes or more. The actual payload
data copied to the target buffer comes from the NTLMv2 type-2 response header.

We are not aware of any exploit of this flaw.

INFO
----

This bug was introduced in [commit
86724581b6c](https://github.com/curl/curl/commit/86724581b6c), January 2014.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2019-3822 to this issue.

CWE-121: Stack-based Buffer Overflow

Severity: 7.3 (High)

AFFECTED VERSIONS
-----------------

- Affected versions: libcurl 7.36.0 to and including 7.63.0
- Not affected versions: libcurl < 7.36.0 and >= 7.64.0

libcurl is used by many applications, but not always advertised as such.

THE SOLUTION
------------

A [patch for CVE-2019-3822](https://github.com/curl/curl/commit/50c9484278c63b958655a717844f0721263939cc)

RECOMMENDATIONS
---------------

We suggest you take one of the following actions immediately, in order of
preference:

 A - Upgrade curl to version 7.64.0

 B - Apply the patch to your version and rebuild

 C - Turn off NTLM authentication

TIME LINE
---------

It was reported to the curl project on December 30, 2018. We contacted
distros@openwall on January 28.

curl 7.64.0 was released on February 6 2019, coordinated with the publication
of this advisory.

CREDITS
-------

Reported by Wenxiang Qian of Tencent Blade Team. Patch by Daniel Stenberg.

Thanks a lot!

CVE-2019-3823 

SMTP end-of-response out-of-bounds read
=======================================

Project curl Security Advisory, February 6th 2019 -
[Permalink](https://curl.haxx.se/docs/CVE-2019-3823.html)

VULNERABILITY
-------------

libcurl contains a heap out-of-bounds read in the code handling the
end-of-response for SMTP.

If the buffer passed to `smtp_endofresp()` isn't NUL terminated and contains
no character ending the parsed number, and `len` is set to 5, then the
`strtol()` call reads beyond the allocated buffer. The read contents will not
be returned to the caller.

We are not aware of any exploit of this flaw.

INFO
----

This bug was introduced in October 2013 in
[commit 2766262a68](https://github.com/curl/curl/commit/2766262a68).

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2019-3823 to this issue.

CWE-125: Out-of-bounds Read

Severity: 3.7 (Low)

AFFECTED VERSIONS
-----------------

- Affected versions: libcurl 7.34.0 to and including 7.63.0
- Not affected versions: libcurl < 7.34.0

libcurl is used by many applications, but not always advertised as such.

THE SOLUTION
------------

A [patch for CVE-2019-3823](https://github.com/curl/curl/commit/39df4073e5413fcdbb5a38da0c1ce6f1c0ceb484) is available.

RECOMMENDATIONS
--------------

We suggest you take one of the following actions immediately, in order of
preference:

 A - Upgrade curl to version 7.64.0

 B - Apply the patch to your version and rebuild

 C - Turn off SMTP

TIMELINE
--------

The issue was reported to the curl project on January 18, 2019. A patch was
communicated to the reporter on January 19, 2019. We contacted distros@openwall
on January 28.

curl 7.64.0 was released on February 6 2019, coordinated with the publication
of this advisory.

CREDITS
-------

Reported by Brian Carpenter, Geeknik Labs. Patch by Daniel Gustafsson

Thanks a lot!

Change History (2)

comment:1 by Douglas R. Reno, 5 years ago

Owner: changed from blfs-book to Douglas R. Reno
Status: newassigned

comment:2 by Douglas R. Reno, 5 years ago

Resolution: fixed
Status: assignedclosed

Fixed at r21095

Note: See TracTickets for help on using tickets.