Allele Security Alert
ASA-2018-00018
Identifier(s)
ASA-2018-00018, CVE-2018-16839
Title
SASL password overflow via integer overflow
Vendor(s)
the Curl project
Product(s)
curl
Affected version(s)
This issue is only present on 32 bit systems. It also requires the username field to use more than 2GB of memory, which should be rare.
Affected versions: libcurl 7.33.0 to and including 7.61.1
Fixed version(s)
libcurl >= 7.62.0
Proof of concept
Unknown
Description
libcurl contains a buffer overrun in the SASL authentication code.
The internal function Curl_auth_create_plain_message fails to correctly verify that the passed in lengths for name and password aren’t too long, then calculates a buffer size to allocate.
On systems with a 32 bit size_t, the math to calculate the buffer size triggers an integer overflow when the user name length exceeds 2GB (2^31 bytes). This integer overflow usually causes a very small buffer to actually get allocated instead of the intended very huge one, making the use of that buffer end up in a heap buffer overflow.
The affected function can only be invoked when using POP3(S), IMAP(S) or SMTP(S).
Technical details
Unknown
Credits
Harry Sintonen
Reference(s)
CURL 7.62.0 MOAR STUFF
https://daniel.haxx.se/blog/2018/10/31/curl-7-62-0-moar-stuff/
SASL password overflow via integer overflow
https://curl.haxx.se/docs/CVE-2018-16839.html
sasl: allow arbitrarily long username and password
https://github.com/curl/curl/commit/c56f9797e7feb7c2dc
Curl_auth_create_plain_message: fix too-large-input-check
https://github.com/curl/curl/commit/f3a24d7916b9173c69a3e0ee790102993833d6c5
CVE-2018-16839
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16839
CVE-2018-16839
https://nvd.nist.gov/vuln/detail/CVE-2018-16839
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: February 6, 2019