svn commit: r492400 - head/security/vuxml
Sunpoet Po-Chuan Hsieh
sunpoet at FreeBSD.org
Thu Feb 7 23:14:55 UTC 2019
Author: sunpoet
Date: Thu Feb 7 23:14:47 2019
New Revision: 492400
URL: https://svnweb.freebsd.org/changeset/ports/492400
Log:
Document curl vulnerability
Modified:
head/security/vuxml/vuln.xml
Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml Thu Feb 7 23:14:41 2019 (r492399)
+++ head/security/vuxml/vuln.xml Thu Feb 7 23:14:47 2019 (r492400)
@@ -58,6 +58,65 @@ Notes:
* Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+ <vuln vid="714b033a-2b09-11e9-8bc3-610fd6e6cd05">
+ <topic>curl -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>curl</name>
+ <range><lt>7.64.0</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>curl security problems:</p>
+ <blockquote cite="https://curl.haxx.se/docs/security.html">
+ <p>CVE-2018-16890: NTLM type-2 out-of-bounds buffer read</p>
+ <p>libcurl contains a heap buffer out-of-bounds read flaw.</p>
+ <p>The function handling incoming NTLM type-2 messages
+ (lib/vauth/ntlm.c:ntlm_decode_type2_target) does not validate incoming
+ data correctly and is subject to an integer overflow vulnerability.</p>
+ <p>Using that overflow, a malicious or broken NTLM server could trick
+ libcurl to accept a bad length + offset combination that would lead to a
+ buffer read out-of-bounds.</p>
+ <p>CVE-2019-3822: NTLMv2 type-3 header stack buffer overflow</p>
+ <p>libcurl contains a stack based buffer overflow vulnerability.</p>
+ <p>The function creating an outgoing NTLM type-3 header
+ (lib/vauth/ntlm.c:Curl_auth_create_ntlm_type3_message()), generates the
+ request HTTP header contents based on previously received data. The
+ check that exists to prevent the local buffer from getting overflowed is
+ implemented wrongly (using unsigned math) and as such it does not
+ prevent the overflow from happening.</p>
+ <p>This output data can grow larger than the local buffer if very large
+ "nt response" data is extracted from a previous NTLMv2 header provided
+ by the malicious or broken HTTP server.</p>
+ <p>Such a "large value" needs to be around 1000 bytes or more. The actual
+ payload data copied to the target buffer comes from the NTLMv2 type-2
+ response header.</p>
+ <p>CVE-2019-3823: SMTP end-of-response out-of-bounds read</p>
+ <p>libcurl contains a heap out-of-bounds read in the code handling the
+ end-of-response for SMTP.</p>
+ <p>If the buffer passed to smtp_endofresp() isn't NUL terminated and
+ contains no character ending the parsed number, and len is set to 5,
+ then the strtol() call reads beyond the allocated buffer. The read
+ contents will not be returned to the caller.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://curl.haxx.se/docs/security.html</url>
+ <url>https://curl.haxx.se/docs/CVE-2018-16890.html</url>
+ <url>https://curl.haxx.se/docs/CVE-2019-3822.html</url>
+ <url>https://curl.haxx.se/docs/CVE-2019-3823.html</url>
+ <cvename>CVE-2018-16890</cvename>
+ <cvename>CVE-2019-3822</cvename>
+ <cvename>CVE-2019-3823</cvename>
+ </references>
+ <dates>
+ <discovery>2019-02-07</discovery>
+ <entry>2019-02-07</entry>
+ </dates>
+ </vuln>
+
<vuln vid="43ee6c1d-29ee-11e9-82a1-001b217b3468">
<topic>Gitlab -- Multiple vulnerabilities</topic>
<affects>
More information about the svn-ports-all
mailing list