#12087 closed enhancement (fixed)
curl-7.65.0 (CVE-2019-5435 CVE-2019-5436)
Reported by: | Douglas R. Reno | Owned by: | Douglas R. Reno |
---|---|---|---|
Priority: | high | Milestone: | 9.0 |
Component: | BOOK | Version: | SVN |
Severity: | normal | Keywords: | |
Cc: |
Description
New minor version. Several security fixes
Change History (4)
comment:1 by , 5 years ago
Owner: | changed from | to
---|---|
Priority: | normal → high |
Status: | new → assigned |
Summary: | curl-7.65.0 → curl-7.65.0 (CVE-2019-5435 CVE-2019-5436) |
comment:2 by , 5 years ago
7.65.0
Fixed in 7.65.0 - May 22 2019 Changes: CURLOPT_DNS_USE_GLOBAL_CACHE: removed CURLOPT_MAXAGE_CONN: set the maximum allowed age for conn reuse pipelining: removed Bugfixes: CVE-2019-5435: Integer overflows in curl_url_set CVE-2019-5436: tftp: use the current blksize for recvfrom() --config: clarify that initial : and = might need quoting AppVeyor: enable testing for WinSSL build CURLMOPT_TIMERFUNCTION.3: warn about the recursive risk CURLOPT_ADDRESS_SCOPE: fix range check and more CURLOPT_CAINFO.3: with Schannel, you want Windows 8 or later CURLOPT_CHUNK_BGN_FUNCTION.3: document the struct and time value CURLOPT_READFUNCTION.3: see also CURLOPT_UPLOAD_BUFFERSIZE CURL_MAX_INPUT_LENGTH: largest acceptable string input size Curl_disconnect: treat all CONNECT_ONLY connections as "dead" INTERNALS: Add code highlighting OS400/ccsidcurl: replace use of Curl_vsetopt OpenSSL: Report -fips in version if OpenSSL is built with FIPS README.md: fix no-consecutive-blank-lines Codacy warning VC15 project: remove MinimalRebuild VS projects: use Unicode for VC10+ WRITEFUNCTION: add missing set_in_callback around callback altsvc: Fix building with cookies disabled auth: Rename the various authentication clean up functions base64: build conditionally if there are users build-openssl.bat: Fixed support for OpenSSL v1.1.0+ build: fix "clarify calculation precedence" warnings checksrc.bat: ignore snprintf warnings in docs/examples cirrus: Customize the disabled tests per FreeBSD version cleanup: remove FIXME and TODO comments cmake: avoid linking executable for some tests with cmake 3.6+ cmake: clear CMAKE_REQUIRED_LIBRARIES after each use cmake: rename CMAKE_USE_DARWINSSL to CMAKE_USE_SECTRANSP cmake: set SSL_BACKENDS configure: avoid unportable `==' test(1) operator configure: error out if OpenSSL wasn't detected when asked for configure: fix default location for fish completions cookie: Guard against possible NULL ptr deref curl: make code work with protocol-disabled libcurl curl: report error for "--no-" on non-boolean options curl_easy_getinfo.3: fix minor formatting mistake curlver.h: use parenthesis in CURL_VERSION_BITS macro docs/BUG-BOUNTY: bug bounty time docs/INSTALL: fix broken link docs/RELEASE-PROCEDURE: link to live iCalendar documentation: Fix several typos doh: acknowledge CURL_DISABLE_DOH doh: disable DOH for the cases it doesn't work examples: remove unused variables ftplistparser: fix LGTM alert "Empty block without comment" hostip: acknowledge CURL_DISABLE_SHUFFLE_DNS http: Ignore HTTP/2 prior knowledge setting for HTTP proxies http: acknowledge CURL_DISABLE_HTTP_AUTH http: mark bundle as not for multiuse on < HTTP/2 response http_digest: Don't expose functions when HTTP and Crypto Auth are disabled http_negotiate: do not treat failure of gss_init_sec_context() as fatal http_ntlm: Corrected the name of the include guard http_ntlm_wb: Handle auth for only a single request http_ntlm_wb: Return the correct error on receiving an empty auth message lib509: add missing include for strdup lib557: initialize variables makedebug: Fix ERRORLEVEL detection after running where.exe mbedtls: enable use of EC keys mime: acknowledge CURL_DISABLE_MIME multi: improved HTTP_1_1_REQUIRED handling netrc: acknowledge CURL_DISABLE_NETRC nss: allow fifos and character devices for certificates nss: provide more specific error messages on failed init ntlm: Fix misaligned function comments for Curl_auth_ntlm_cleanup ntlm: Support the NT response in the type-3 when OpenSSL doesn't include MD4 openssl: mark connection for close on TLS close_notify openvms: Remove pre-processor for SecureTransport openvms: Remove pre-processors for Windows parse_proxy: use the URL parser API parsedate: disabled on CURL_DISABLE_PARSEDATE pingpong: disable more when no pingpong protocols are enabled polarssl_threadlock: remove conditionally unused code progress: acknowledge CURL_DISABLE_PROGRESS_METER proxy: acknowledge DISABLE_PROXY more resolve: apply Happy Eyeballs philosophy to parallel c-ares queries revert "multi: support verbose conncache closure handle" sasl: Don't send authcid as authzid for the PLAIN mechanism as per RFC 4616 sasl: only enable if there's a protocol enabled using it scripts: fix typos singleipconnect: show port in the verbose "Trying ..." message smtp: fix compiler warning socks5: user name and passwords must be shorter than 256 socks: fix error message socksd: new SOCKS 4+5 server for tests spnego_gssapi: fix return code on gss_init_sec_context() failure ssh-libssh: remove unused variable ssh: define USE_SSH if SSH is enabled (any backend) ssh: move variable declaration to where it's used test1002: correct the name test2100: Fix typos in test description tests/server/util: fix Windows Unicode build tests: Run global cleanup at end of tests tests: make Impacket (SMB server) Python 3 compatible tool_cb_wrt: fix bad-function-cast warning tool_formparse: remove redundant assignment tool_help: Warn if curl and libcurl versions do not match tool_help: include for strcasecmp transfer: fix LGTM alert "Comparison is always true" travis: add an osx http-only build travis: allow builds on branches named "ci" travis: install dependencies only when needed travis: update some builds do Xenial travis: updated mesalink builds url: always clone the CUROPT_CURLU handle url: convert the zone id from a IPv6 URL to correct scope id urlapi: add CURLUPART_ZONEID to set and get urlapi: increase supported scheme length to 40 bytes urlapi: require a non-zero host name length when parsing URL urlapi: stricter CURLUPART_PORT parsing urlapi: strip off zone id from numerical IPv6 addresses urlapi: urlencode characters above 0x7f correctly vauth/cleartext: update the PLAIN login to match RFC 4616 vauth/oauth2: Fix OAUTHBEARER token generation vauth: Fix incorrect function description for Curl_auth_user_contains_domain vtls: fix potential ssl_buffer stack overflow wildcard: disable from build when FTP isn't present winbuild: Support MultiSSL builds xattr: skip unittest on unsupported platforms
7.65.1
Fixed in 7.65.1 - June 5 2019 Bugfixes: CURLOPT_LOW_SPEED_* repaired NTLM: reset proxy "multipass" state when CONNECT request is done PolarSSL: deprecate support step 1. Removed from configure appveyor: add Visual Studio solution build cmake: check for if_nametoindex() cmake: support CMAKE_OSX_ARCHITECTURES when detecting SIZEOF variables config-win32: add support for if_nametoindex and getsockname conncache: Remove the DEBUGASSERT on length check conncache: make "bundles" per host name when doing proxy tunnels curl-win32.h: Enable Unix Domain Sockets based on the Windows SDK version curl_share_setopt.3: improve wording dump-header.d: spell out that no headers == empty file example/http2-download: fix format specifier examples: cleanups and compiler warning fixes http2: Stop drain from being permanently set http: don't parse body-related headers in bodyless responses md4: build correctly with openssl without MD4 md4: include the mbedtls config.h to get the MD4 info multi: track users of a socket better nss: allow to specify TLS 1.3 ciphers if supported by NSS parse_proxy: make sure portptr is initialized parse_proxy: use the IPv6 zone id if given sectransp: handle errSSLPeerAuthCompleted from SSLRead() singlesocket: use separate variable for inner loop ssl: Update outdated "openssl-only" comments for supported backends tests: add HAProxy keywords tests: add support to test against OpenSSH for Windows tests: make test 1420 and 1406 work with rtsp-disabled libcurl tls13-docs: mention it is only for OpenSSL >= 1.1.1 tool_parse_cfg: Avoid 2 fopen() for WIN32 tool_setopt: for builds with disabled-proxy, skip all proxy setopts() url: Load if_nametoindex() dynamically from iphlpapi.dll on Windows url: fix bad feature-disable #ifdef url: use correct port in ConnectionExists() winbuild: Use two space indentation
CVE-2019-5435
TFTP receive buffer overflow Project curl Security Advisory, May 22nd 2019 - Permalink VULNERABILITY libcurl contains a heap buffer overflow in the function (tftp_receive_packet()) that recevives data from a TFTP server. It calls recvfrom() with the default size for the buffer rather than with the size that was used to allocate it. Thus, the content that might overwrite the heap memory is entirely controlled by the server. The flaw exists if the user selects to use a "blksize" of 504 or smaller (default is 512). The smaller size that is used, the larger the possible overflow becomes. Users chosing a smaller size than default should be rare as the primary use case for changing the size is to make it larger. It is rare for users to use TFTP across the Internet. It is most commonly used within local networks. We are not aware of any exploit of this flaw. INFO This bug was introduced in January 2009 in commit 0516ce7786e95. The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2019-5436 to this issue. CWE-122: Heap-based Buffer Overflow Severity: 1.8 (Low) AFFECTED VERSIONS Affected versions: libcurl 7.19.4 to and including 7.64.1 Not affected versions: libcurl < 7.19.4 and >= libcurl 7.65.0 libcurl is used by many applications, but not always advertised as such. THE SOLUTION A fix for CVE-2019-5436 RECOMMENDATIONS We suggest you take one of the following actions immediately, in order of preference: A - Upgrade curl to version 7.65.0 B - Apply the patch to your version and rebuild C - do not use TFTP with curl TIMELINE The issue was reported to the curl project on April 29, 2019. The patch was communicated to the reporter on April 29, 2019. We contacted distros@openwall on May 15. curl 7.65.0 was released on May 22 2019, coordinated with the publication of this advisory. CREDITS Reported by l00p3r. Patch by Daniel Stenberg Thanks a lot!
CVE-2019-5436
Integer overflows in curl_url_set() Project curl Security Advisory, May 22nd 2019 - Permalink VULNERABILITY libcurl contains two integer overflows in the curl_url_set() function that if triggered, can lead to a too small buffer allocation and a subsequent heap buffer overflow. The flaws only exist on 32 bit architectures and require excessive string input lengths. We are not aware of any exploit of this flaw. INFO There are two entry points to this issue, on 32 bit architectures. By asking libcurl to parse a string, passing in a string longer than 2GB to this API: curl_url_set(uh, CURLUPART_URL, "string", 0); triggers the bug. Asking libcurl to update a URL with a new string, and URL encoded it in the process, by passing in a string longer than 1.33GB to this API: curl_url_set(uh, CURLUPART_*, "string", CURLU_URLENCODE); triggers the bug. This bug was introduced in August 2018 in commit fb30ac5a2d. The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2019-5435 to this issue. CWE-131: Incorrect Calculation of Buffer Size Severity: 3.7 (Low) AFFECTED VERSIONS Affected versions: libcurl 7.62.0 to and including 7.64.1 Not affected versions: libcurl < 7.62.0 and >= libcurl 7.65.0 libcurl is used by many applications, but not always advertised as such. THE SOLUTION A fix for CVE-2019-5435 is already merged. RECOMMENDATIONS We suggest you take one of the following actions immediately, in order of preference: A - Upgrade curl to version 7.65.0 B - Apply the patch to your version and rebuild TIMELINE The issue was reported to the curl project on April 24, 2019. The patch was communicated to the reporter on April 25, 2019. We contacted distros@openwall on May 15. curl 7.65.0 was released on May 22 2019, coordinated with the publication of this advisory. CREDITS Reported by Wenchao Li. Patch by Daniel Stenberg Thanks a lot!
Note:
See TracTickets
for help on using tickets.
Now version 7.65.1
Mark CVE IDs in the title and bump to high