Allele Security Alert
ASA-2019-00538
Identifier(s)
ASA-2019-00538, CVE-2019-5481
Title
FTP-KRB double-free
Vendor(s)
The Curl Project
Product(s)
curl
Affected version(s)
libcurl version 7.52.0 up to and including 7.65.3
It was introduced in the following commit:
realloc: use Curl_saferealloc to avoid common mistakes
https://github.com/curl/curl/commit/0649433da53c7165f839e2
Fixed version(s)
libcurl version 7.66.0
libcurl versions with the following commit:
security:read_data fix bad realloc() that could end up a double-free
https://github.com/curl/curl/commit/9069838b30fb3b48af0123e39f664cea683254a5
Proof of concept
Unknown
Description
libcurl can be told to use kerberos over FTP to a server, as set with the CURLOPT_KRBLEVEL option.
During such kerberos FTP data transfer, the server sends data to curl in blocks with the 32 bit size of each block first and then that amount of data immediately following.
A malicious or just broken server can claim to send a very large block and if by doing that it makes curl’s subsequent call to realloc() to fail, curl would then misbehave in the exit path and double-free the memory.
In practical terms, an up to 4 GB memory area may very well be fine to allocate on a modern 64 bit system but on 32 bit systems it will fail.
Technical details
Unknown
Credits
Thomas Vegas
Reference(s)
FTP-KRB double-free
https://curl.haxx.se/docs/CVE-2019-5481.html
[SECURITY ADVISORY] curl: FTP-KRB double-free
https://www.openwall.com/lists/oss-security/2019/09/11/5
realloc: use Curl_saferealloc to avoid common mistakes
https://github.com/curl/curl/commit/0649433da53c7165f839e2
security:read_data fix bad realloc() that could end up a double-free
https://github.com/curl/curl/commit/9069838b30fb3b48af0123e39f664cea683254a5
CVE-2019-5481
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5481
CVE-2019-5481
https://nvd.nist.gov/vuln/detail/CVE-2019-5481
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: September 11, 2019