curl: Multiple vulnerabilities (CVE-2019-5481, CVE-2019-5482)
CVE-2019-5481: FTP-KRB double-free
libcurl can be told to use kerberos over FTP to a server, as set with the CURLOPT_KRBLEVEL option. During such kerberos FTP data transfer, the server sends data to curl in blocks with the 32 bit size of each block first and then that amount of data immediately following. A malicious or just broken server can claim to send a very large block and if by doing that it makes curl's subsequent call to realloc() to fail, curl would then misbehave in the exit path and double-free the memory.
- Affected versions: libcurl >= 7.52.0 to and including 7.65.3
- Not affected versions: libcurl < 7.52.0
Fixed In Version:
libcurl 7.66.0
References
- https://curl.haxx.se/docs/CVE-2019-5481.html
- https://www.openwall.com/lists/oss-security/2019/09/11/5
Patch:
https://github.com/curl/curl/commit/9069838b30fb3b48af0123e39f664cea683254a5
CVE-2019-5482: TFTP small blocksize heap buffer overflow
libcurl contains a heap buffer overflow in the function (tftp_receive_packet()) that receives data from a TFTP server. It can call recvfrom() with the default size for the buffer rather than with the size that was used to allocate it. Thus, the content that might overwrite the heap memory is controlled by the server. This flaw is only triggered if the TFTP server sends an OACK without the BLKSIZE option, when a BLKSIZE smaller than 512 bytes was requested by the TFTP client. OACK is a TFTP extension and is not used by all TFTP servers.
- Affected versions: libcurl >= 7.19.4 to and including 7.65.3
- Not affected versions: libcurl < 7.19.4
Fixed In Version:
libcurl 7.66.0
References:
- https://curl.haxx.se/docs/CVE-2019-5482.html
- https://www.openwall.com/lists/oss-security/2019/09/11/6
Patch:
https://github.com/curl/curl/commit/facb0e4662415b5f28163e853dc6742ac5fafb3d
Affected branches:
-
master -
3.10-stable -
3.9-stable -
3.8-stable -
3.7-stable