Date: Thu, 7 Feb 2019 23:14:47 +0000 (UTC) From: Sunpoet Po-Chuan Hsieh <sunpoet@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r492400 - head/security/vuxml Message-ID: <201902072314.x17NEl5c034677@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: sunpoet Date: Thu Feb 7 23:14:47 2019 New Revision: 492400 URL: https://svnweb.freebsd.org/changeset/ports/492400 Log: Document curl vulnerability Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Thu Feb 7 23:14:41 2019 (r492399) +++ head/security/vuxml/vuln.xml Thu Feb 7 23:14:47 2019 (r492400) @@ -58,6 +58,65 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> + <vuln vid="714b033a-2b09-11e9-8bc3-610fd6e6cd05"> + <topic>curl -- multiple vulnerabilities</topic> + <affects> + <package> + <name>curl</name> + <range><lt>7.64.0</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>curl security problems:</p> + <blockquote cite="https://curl.haxx.se/docs/security.html"> + <p>CVE-2018-16890: NTLM type-2 out-of-bounds buffer read</p> + <p>libcurl contains a heap buffer out-of-bounds read flaw.</p> + <p>The function handling incoming NTLM type-2 messages + (lib/vauth/ntlm.c:ntlm_decode_type2_target) does not validate incoming + data correctly and is subject to an integer overflow vulnerability.</p> + <p>Using that overflow, a malicious or broken NTLM server could trick + libcurl to accept a bad length + offset combination that would lead to a + buffer read out-of-bounds.</p> + <p>CVE-2019-3822: NTLMv2 type-3 header stack buffer overflow</p> + <p>libcurl contains a stack based buffer overflow vulnerability.</p> + <p>The function creating an outgoing NTLM type-3 header + (lib/vauth/ntlm.c:Curl_auth_create_ntlm_type3_message()), generates the + request HTTP header contents based on previously received data. The + check that exists to prevent the local buffer from getting overflowed is + implemented wrongly (using unsigned math) and as such it does not + prevent the overflow from happening.</p> + <p>This output data can grow larger than the local buffer if very large + "nt response" data is extracted from a previous NTLMv2 header provided + by the malicious or broken HTTP server.</p> + <p>Such a "large value" needs to be around 1000 bytes or more. The actual + payload data copied to the target buffer comes from the NTLMv2 type-2 + response header.</p> + <p>CVE-2019-3823: SMTP end-of-response out-of-bounds read</p> + <p>libcurl contains a heap out-of-bounds read in the code handling the + end-of-response for SMTP.</p> + <p>If the buffer passed to smtp_endofresp() isn't NUL terminated and + contains no character ending the parsed number, and len is set to 5, + then the strtol() call reads beyond the allocated buffer. The read + contents will not be returned to the caller.</p> + </blockquote> + </body> + </description> + <references> + <url>https://curl.haxx.se/docs/security.html</url> + <url>https://curl.haxx.se/docs/CVE-2018-16890.html</url> + <url>https://curl.haxx.se/docs/CVE-2019-3822.html</url> + <url>https://curl.haxx.se/docs/CVE-2019-3823.html</url> + <cvename>CVE-2018-16890</cvename> + <cvename>CVE-2019-3822</cvename> + <cvename>CVE-2019-3823</cvename> + </references> + <dates> + <discovery>2019-02-07</discovery> + <entry>2019-02-07</entry> + </dates> + </vuln> + <vuln vid="43ee6c1d-29ee-11e9-82a1-001b217b3468"> <topic>Gitlab -- Multiple vulnerabilities</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201902072314.x17NEl5c034677>