Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#12087 closed enhancement (fixed)

curl-7.65.0 (CVE-2019-5435 CVE-2019-5436)

Reported by: Douglas R. Reno Owned by: Douglas R. Reno
Priority: high Milestone: 9.0
Component: BOOK Version: SVN
Severity: normal Keywords:
Cc:

Description

New minor version. Several security fixes

Change History (4)

comment:1 by Douglas R. Reno, 5 years ago

Owner: changed from blfs-book to Douglas R. Reno
Priority: normalhigh
Status: newassigned
Summary: curl-7.65.0curl-7.65.0 (CVE-2019-5435 CVE-2019-5436)

Now version 7.65.1

Mark CVE IDs in the title and bump to high

comment:2 by Douglas R. Reno, 5 years ago

7.65.0

 Fixed in 7.65.0 - May 22 2019

Changes:

    CURLOPT_DNS_USE_GLOBAL_CACHE: removed
    CURLOPT_MAXAGE_CONN: set the maximum allowed age for conn reuse
    pipelining: removed 

Bugfixes:

    CVE-2019-5435: Integer overflows in curl_url_set
    CVE-2019-5436: tftp: use the current blksize for recvfrom()
    --config: clarify that initial : and = might need quoting
    AppVeyor: enable testing for WinSSL build
    CURLMOPT_TIMERFUNCTION.3: warn about the recursive risk
    CURLOPT_ADDRESS_SCOPE: fix range check and more
    CURLOPT_CAINFO.3: with Schannel, you want Windows 8 or later
    CURLOPT_CHUNK_BGN_FUNCTION.3: document the struct and time value
    CURLOPT_READFUNCTION.3: see also CURLOPT_UPLOAD_BUFFERSIZE
    CURL_MAX_INPUT_LENGTH: largest acceptable string input size
    Curl_disconnect: treat all CONNECT_ONLY connections as "dead"
    INTERNALS: Add code highlighting
    OS400/ccsidcurl: replace use of Curl_vsetopt
    OpenSSL: Report -fips in version if OpenSSL is built with FIPS
    README.md: fix no-consecutive-blank-lines Codacy warning
    VC15 project: remove MinimalRebuild
    VS projects: use Unicode for VC10+
    WRITEFUNCTION: add missing set_in_callback around callback
    altsvc: Fix building with cookies disabled
    auth: Rename the various authentication clean up functions
    base64: build conditionally if there are users
    build-openssl.bat: Fixed support for OpenSSL v1.1.0+
    build: fix "clarify calculation precedence" warnings
    checksrc.bat: ignore snprintf warnings in docs/examples
    cirrus: Customize the disabled tests per FreeBSD version
    cleanup: remove FIXME and TODO comments
    cmake: avoid linking executable for some tests with cmake 3.6+
    cmake: clear CMAKE_REQUIRED_LIBRARIES after each use
    cmake: rename CMAKE_USE_DARWINSSL to CMAKE_USE_SECTRANSP
    cmake: set SSL_BACKENDS
    configure: avoid unportable `==' test(1) operator
    configure: error out if OpenSSL wasn't detected when asked for
    configure: fix default location for fish completions
    cookie: Guard against possible NULL ptr deref
    curl: make code work with protocol-disabled libcurl
    curl: report error for "--no-" on non-boolean options
    curl_easy_getinfo.3: fix minor formatting mistake
    curlver.h: use parenthesis in CURL_VERSION_BITS macro
    docs/BUG-BOUNTY: bug bounty time
    docs/INSTALL: fix broken link
    docs/RELEASE-PROCEDURE: link to live iCalendar
    documentation: Fix several typos
    doh: acknowledge CURL_DISABLE_DOH
    doh: disable DOH for the cases it doesn't work
    examples: remove unused variables
    ftplistparser: fix LGTM alert "Empty block without comment"
    hostip: acknowledge CURL_DISABLE_SHUFFLE_DNS
    http: Ignore HTTP/2 prior knowledge setting for HTTP proxies
    http: acknowledge CURL_DISABLE_HTTP_AUTH
    http: mark bundle as not for multiuse on < HTTP/2 response
    http_digest: Don't expose functions when HTTP and Crypto Auth are disabled
    http_negotiate: do not treat failure of gss_init_sec_context() as fatal
    http_ntlm: Corrected the name of the include guard
    http_ntlm_wb: Handle auth for only a single request
    http_ntlm_wb: Return the correct error on receiving an empty auth message
    lib509: add missing include for strdup
    lib557: initialize variables
    makedebug: Fix ERRORLEVEL detection after running where.exe
    mbedtls: enable use of EC keys
    mime: acknowledge CURL_DISABLE_MIME
    multi: improved HTTP_1_1_REQUIRED handling
    netrc: acknowledge CURL_DISABLE_NETRC
    nss: allow fifos and character devices for certificates
    nss: provide more specific error messages on failed init
    ntlm: Fix misaligned function comments for Curl_auth_ntlm_cleanup
    ntlm: Support the NT response in the type-3 when OpenSSL doesn't include MD4
    openssl: mark connection for close on TLS close_notify
    openvms: Remove pre-processor for SecureTransport
    openvms: Remove pre-processors for Windows
    parse_proxy: use the URL parser API
    parsedate: disabled on CURL_DISABLE_PARSEDATE
    pingpong: disable more when no pingpong protocols are enabled
    polarssl_threadlock: remove conditionally unused code
    progress: acknowledge CURL_DISABLE_PROGRESS_METER
    proxy: acknowledge DISABLE_PROXY more
    resolve: apply Happy Eyeballs philosophy to parallel c-ares queries
    revert "multi: support verbose conncache closure handle"
    sasl: Don't send authcid as authzid for the PLAIN mechanism as per RFC 4616
    sasl: only enable if there's a protocol enabled using it
    scripts: fix typos
    singleipconnect: show port in the verbose "Trying ..." message
    smtp: fix compiler warning
    socks5: user name and passwords must be shorter than 256
    socks: fix error message
    socksd: new SOCKS 4+5 server for tests
    spnego_gssapi: fix return code on gss_init_sec_context() failure
    ssh-libssh: remove unused variable
    ssh: define USE_SSH if SSH is enabled (any backend)
    ssh: move variable declaration to where it's used
    test1002: correct the name
    test2100: Fix typos in test description
    tests/server/util: fix Windows Unicode build
    tests: Run global cleanup at end of tests
    tests: make Impacket (SMB server) Python 3 compatible
    tool_cb_wrt: fix bad-function-cast warning
    tool_formparse: remove redundant assignment
    tool_help: Warn if curl and libcurl versions do not match
    tool_help: include for strcasecmp
    transfer: fix LGTM alert "Comparison is always true"
    travis: add an osx http-only build
    travis: allow builds on branches named "ci"
    travis: install dependencies only when needed
    travis: update some builds do Xenial
    travis: updated mesalink builds
    url: always clone the CUROPT_CURLU handle
    url: convert the zone id from a IPv6 URL to correct scope id
    urlapi: add CURLUPART_ZONEID to set and get
    urlapi: increase supported scheme length to 40 bytes
    urlapi: require a non-zero host name length when parsing URL
    urlapi: stricter CURLUPART_PORT parsing
    urlapi: strip off zone id from numerical IPv6 addresses
    urlapi: urlencode characters above 0x7f correctly
    vauth/cleartext: update the PLAIN login to match RFC 4616
    vauth/oauth2: Fix OAUTHBEARER token generation
    vauth: Fix incorrect function description for Curl_auth_user_contains_domain
    vtls: fix potential ssl_buffer stack overflow
    wildcard: disable from build when FTP isn't present
    winbuild: Support MultiSSL builds
    xattr: skip unittest on unsupported platforms 

7.65.1

 Fixed in 7.65.1 - June 5 2019

Bugfixes:

    CURLOPT_LOW_SPEED_* repaired
    NTLM: reset proxy "multipass" state when CONNECT request is done
    PolarSSL: deprecate support step 1. Removed from configure
    appveyor: add Visual Studio solution build
    cmake: check for if_nametoindex()
    cmake: support CMAKE_OSX_ARCHITECTURES when detecting SIZEOF variables
    config-win32: add support for if_nametoindex and getsockname
    conncache: Remove the DEBUGASSERT on length check
    conncache: make "bundles" per host name when doing proxy tunnels
    curl-win32.h: Enable Unix Domain Sockets based on the Windows SDK version
    curl_share_setopt.3: improve wording
    dump-header.d: spell out that no headers == empty file
    example/http2-download: fix format specifier
    examples: cleanups and compiler warning fixes
    http2: Stop drain from being permanently set
    http: don't parse body-related headers in bodyless responses
    md4: build correctly with openssl without MD4
    md4: include the mbedtls config.h to get the MD4 info
    multi: track users of a socket better
    nss: allow to specify TLS 1.3 ciphers if supported by NSS
    parse_proxy: make sure portptr is initialized
    parse_proxy: use the IPv6 zone id if given
    sectransp: handle errSSLPeerAuthCompleted from SSLRead()
    singlesocket: use separate variable for inner loop
    ssl: Update outdated "openssl-only" comments for supported backends
    tests: add HAProxy keywords
    tests: add support to test against OpenSSH for Windows
    tests: make test 1420 and 1406 work with rtsp-disabled libcurl
    tls13-docs: mention it is only for OpenSSL >= 1.1.1
    tool_parse_cfg: Avoid 2 fopen() for WIN32
    tool_setopt: for builds with disabled-proxy, skip all proxy setopts()
    url: Load if_nametoindex() dynamically from iphlpapi.dll on Windows
    url: fix bad feature-disable #ifdef
    url: use correct port in ConnectionExists()
    winbuild: Use two space indentation 

CVE-2019-5435

TFTP receive buffer overflow

Project curl Security Advisory, May 22nd 2019 - Permalink
VULNERABILITY

libcurl contains a heap buffer overflow in the function (tftp_receive_packet()) that recevives data from a TFTP server. It calls recvfrom() with the default size for the buffer rather than with the size that was used to allocate it. Thus, the content that might overwrite the heap memory is entirely controlled by the server.

The flaw exists if the user selects to use a "blksize" of 504 or smaller (default is 512). The smaller size that is used, the larger the possible overflow becomes.

Users chosing a smaller size than default should be rare as the primary use case for changing the size is to make it larger.

It is rare for users to use TFTP across the Internet. It is most commonly used within local networks.

We are not aware of any exploit of this flaw.
INFO

This bug was introduced in January 2009 in commit 0516ce7786e95.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2019-5436 to this issue.

CWE-122: Heap-based Buffer Overflow

Severity: 1.8 (Low)
AFFECTED VERSIONS

    Affected versions: libcurl 7.19.4 to and including 7.64.1
    Not affected versions: libcurl < 7.19.4 and >= libcurl 7.65.0

libcurl is used by many applications, but not always advertised as such.
THE SOLUTION

A fix for CVE-2019-5436
RECOMMENDATIONS

We suggest you take one of the following actions immediately, in order of preference:

A - Upgrade curl to version 7.65.0

B - Apply the patch to your version and rebuild

C - do not use TFTP with curl
TIMELINE

The issue was reported to the curl project on April 29, 2019. The patch was communicated to the reporter on April 29, 2019. We contacted distros@openwall on May 15.

curl 7.65.0 was released on May 22 2019, coordinated with the publication of this advisory.
CREDITS

Reported by l00p3r. Patch by Daniel Stenberg

Thanks a lot!

CVE-2019-5436

Integer overflows in curl_url_set()

Project curl Security Advisory, May 22nd 2019 - Permalink
VULNERABILITY

libcurl contains two integer overflows in the curl_url_set() function that if triggered, can lead to a too small buffer allocation and a subsequent heap buffer overflow.

The flaws only exist on 32 bit architectures and require excessive string input lengths.

We are not aware of any exploit of this flaw.
INFO

There are two entry points to this issue, on 32 bit architectures.

By asking libcurl to parse a string, passing in a string longer than 2GB to this API: curl_url_set(uh, CURLUPART_URL, "string", 0); triggers the bug.

Asking libcurl to update a URL with a new string, and URL encoded it in the process, by passing in a string longer than 1.33GB to this API: curl_url_set(uh, CURLUPART_*, "string", CURLU_URLENCODE); triggers the bug.

This bug was introduced in August 2018 in commit fb30ac5a2d.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2019-5435 to this issue.

CWE-131: Incorrect Calculation of Buffer Size

Severity: 3.7 (Low)
AFFECTED VERSIONS

    Affected versions: libcurl 7.62.0 to and including 7.64.1
    Not affected versions: libcurl < 7.62.0 and >= libcurl 7.65.0

libcurl is used by many applications, but not always advertised as such.
THE SOLUTION

A fix for CVE-2019-5435 is already merged.
RECOMMENDATIONS

We suggest you take one of the following actions immediately, in order of preference:

A - Upgrade curl to version 7.65.0

B - Apply the patch to your version and rebuild
TIMELINE

The issue was reported to the curl project on April 24, 2019. The patch was communicated to the reporter on April 25, 2019. We contacted distros@openwall on May 15.

curl 7.65.0 was released on May 22 2019, coordinated with the publication of this advisory.
CREDITS

Reported by Wenchao Li. Patch by Daniel Stenberg

Thanks a lot!

comment:3 by Douglas R. Reno, 5 years ago

Resolution: fixed
Status: assignedclosed

Fixed at r21669

comment:4 by Bruce Dubbs, 5 years ago

Milestone: 8.59.0

Milestone renamed

Note: See TracTickets for help on using tickets.