Allele Security Alert
ASA-2019-00539
Identifier(s)
ASA-2019-00539, CVE-2019-5482
Title
TFTP small blocksize heap buffer overflow
Vendor(s)
The Curl Project
Product(s)
curl
Affected version(s)
libcurl version 7.19.4 up to and including 7.65.3
This bug was introduced in the following commit:
Chad Monroe provided the new CURLOPT_TFTP_BLKSIZE option that allows an app
https://github.com/curl/curl/commit/0516ce7786e9500c2e44
Fixed version(s)
libcurl version 7.66.0
libcurl versions with the following commit:
tftp: Alloc maximum blksize, and use default unless OACK is received
https://github.com/curl/curl/commit/facb0e4662415b5f28163e853dc6742ac5fafb3d
Proof of concept
Unknown
Description
libcurl contains a heap buffer overflow in the function (tftp_receive_packet()) that receives data from a TFTP server. It can call recvfrom() with the default size for the buffer rather than with the size that was used to allocate it. Thus, the content that might overwrite the heap memory is controlled by the server.
This flaw is only triggered if the TFTP server sends an OACK without the BLKSIZE option, when a BLKSIZE smaller than 512 bytes was requested by the TFTP client. OACK is a TFTP extension and is not used by all TFTP servers.
Technical details
Unknown
Credits
Thomas Vegas
Reference(s)
TFTP small blocksize heap buffer overflow
https://curl.haxx.se/docs/CVE-2019-5482.html
[SECURITY ADVISORY] curl: TFTP small blocksize heap buffer overflow
https://www.openwall.com/lists/oss-security/2019/09/11/6
Chad Monroe provided the new CURLOPT_TFTP_BLKSIZE option that allows an app
https://github.com/curl/curl/commit/0516ce7786e9500c2e44
tftp: Alloc maximum blksize, and use default unless OACK is received
https://github.com/curl/curl/commit/facb0e4662415b5f28163e853dc6742ac5fafb3d
CVE-2019-5482
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5482
CVE-2019-5482
https://nvd.nist.gov/vuln/detail/CVE-2019-5482
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: September 19, 2019