Debian Bug report logs -
#908327
curl: CVE-2018-14618: NTLM password overflow via integer overflow
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Alessandro Ghedini <ghedo@debian.org>
:
Bug#908327
; Package src:curl
.
(Sat, 08 Sep 2018 12:33:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Alessandro Ghedini <ghedo@debian.org>
.
(Sat, 08 Sep 2018 12:33:07 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: curl
Version: 7.61.0-1
Severity: serious
Tags: security upstream
Justification: otherwise regression from stable for security fix
Forwarded: https://github.com/curl/curl/issues/2756
Control: found -1 7.52.1-1
Control: fixed -1 7.52.1-5+deb9u7
Hi,
The following vulnerability was published for curl. Justification for
the severity, is that it would otherwise imply a regression from
stable for a security fix.
CVE-2018-14618[0]:
| curl before version 7.61.1 is vulnerable to a buffer overrun in the
| NTLM authentication code. The internal function
| Curl_ntlm_core_mk_nt_hash multiplies the length of the password by two
| (SUM) to figure out how large temporary storage area to allocate from
| the heap. The length value is then subsequently used to iterate over
| the password and generate output into the allocated storage buffer. On
| systems with a 32 bit size_t, the math to calculate SUM triggers an
| integer overflow when the password length exceeds 2GB (2^31 bytes).
| This integer overflow usually causes a very small buffer to actually
| get allocated instead of the intended very huge one, making the use of
| that buffer end up in a heap buffer overflow. (This bug is almost
| identical to CVE-2017-8816.)
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-14618
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14618
[1] https://curl.haxx.se/docs/CVE-2018-14618.html
[2] https://github.com/curl/curl/issues/2756
[3] https://github.com/curl/curl/commit/57d299a499155d4b327e341c6024e293b0418243
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Marked as found in versions curl/7.52.1-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org
.
(Sat, 08 Sep 2018 12:33:07 GMT) (full text, mbox, link).
Marked as fixed in versions curl/7.52.1-5+deb9u7.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org
.
(Sat, 08 Sep 2018 12:33:08 GMT) (full text, mbox, link).
Added tag(s) fixed-upstream.
Request was from debian-bts-link@lists.debian.org
to control@bugs.debian.org
.
(Thu, 13 Sep 2018 19:09:07 GMT) (full text, mbox, link).
Reply sent
to Alessandro Ghedini <ghedo@debian.org>
:
You have taken responsibility.
(Thu, 01 Nov 2018 00:39:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Thu, 01 Nov 2018 00:39:03 GMT) (full text, mbox, link).
Message #16 received at 908327-close@bugs.debian.org (full text, mbox, reply):
Source: curl
Source-Version: 7.62.0-1
We believe that the bug you reported is fixed in the latest version of
curl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 908327@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Alessandro Ghedini <ghedo@debian.org> (supplier of updated curl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 31 Oct 2018 22:42:44 +0000
Source: curl
Binary: curl libcurl4 libcurl3-gnutls libcurl3-nss libcurl4-openssl-dev libcurl4-gnutls-dev libcurl4-nss-dev libcurl4-doc
Architecture: source
Version: 7.62.0-1
Distribution: unstable
Urgency: medium
Maintainer: Alessandro Ghedini <ghedo@debian.org>
Changed-By: Alessandro Ghedini <ghedo@debian.org>
Description:
curl - command line tool for transferring data with URL syntax
libcurl3-gnutls - easy-to-use client-side URL transfer library (GnuTLS flavour)
libcurl3-nss - easy-to-use client-side URL transfer library (NSS flavour)
libcurl4 - easy-to-use client-side URL transfer library (OpenSSL flavour)
libcurl4-doc - documentation for libcurl
libcurl4-gnutls-dev - development files and documentation for libcurl (GnuTLS flavour)
libcurl4-nss-dev - development files and documentation for libcurl (NSS flavour)
libcurl4-openssl-dev - development files and documentation for libcurl (OpenSSL flavour)
Closes: 908327 911333
Changes:
curl (7.62.0-1) unstable; urgency=medium
.
* New upstream release
+ Fix NTLM password overflow via integer overflow as per CVE-2018-14618
(Closes: #908327) https://curl.haxx.se/docs/CVE-2018-14618.html
+ Fix SASL password overflow via integer overflow as per CVE-2018-16839
https://curl.haxx.se/docs/CVE-2018-16839.html
+ Fix use-after-free in handle close as per CVE-2018-16840
https://curl.haxx.se/docs/CVE-2018-16840.html
+ Fix warning message out-of-buffer read as per CVE-2018-16842
https://curl.haxx.se/docs/CVE-2018-16842.html
+ Fix broken terminal output (closes: #911333)
* Refresh patches
* Add 12_fix-runtests-curl.patch to fix running curl in tests
Checksums-Sha1:
8efa0e38e07dfc9e8f82661d376d145fc6c22eea 2687 curl_7.62.0-1.dsc
0db6f8129e556fdb4257d7271942293b1b00889f 4045208 curl_7.62.0.orig.tar.gz
7a706c600c2444e11b2018b8008ec1605046be4b 28764 curl_7.62.0-1.debian.tar.xz
e850804c43dfcc796ac105ea9d9f5de657c5965f 11014 curl_7.62.0-1_amd64.buildinfo
Checksums-Sha256:
9a95b882b900fa8c0f25b03befd8af3a2c6d4cdfe0ea72e3accfe9b1153f2aec 2687 curl_7.62.0-1.dsc
55ccd5b5209f8cc53d4250e2a9fd87e6f67dd323ae8bd7d06b072cfcbb7836cb 4045208 curl_7.62.0.orig.tar.gz
6c3574ad00b4d5811339d02275a75420263698b03d5d5bc39bfc7eece1c219bd 28764 curl_7.62.0-1.debian.tar.xz
c780f5b3b4901eefcebad13fcc8bdd4c612732f51b953c35c23603054af81145 11014 curl_7.62.0-1_amd64.buildinfo
Files:
038c1f0daf0967b57a4402dfe63d7ee3 2687 web optional curl_7.62.0-1.dsc
e60dbe74a5907c16524ec06e8c787497 4045208 web optional curl_7.62.0.orig.tar.gz
8a495147d30650ac1a6b8ba4ac391100 28764 web optional curl_7.62.0-1.debian.tar.xz
b4af4c624664bbf55a3beae42ea0cc01 11014 web optional curl_7.62.0-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCgAvFiEEBsId305pBx+F583DbwzL4CFiRygFAlvaRAYRHGdoZWRvQGRl
Ymlhbi5vcmcACgkQbwzL4CFiRyjT/A//Tr0G2wqoMDe7p9rfmH9LV9U9iTrFdK2T
v5R6MWDRPROoaMIYhFJxRdft53exg0wtNv1xcafzCWjmq1eicUKLd3QscEobMOq7
Nhf86oL81JxPg3MgRkaPFXIxOqU3wra8KXKXkHs6g12h7gyJEQ26C4+caJkrbmoz
NN3sBH3NihlPhHCCZ1m4rRfssc5lT2u/NBHPhPcBtATXaMcCCgmjqLDHQd55LBCe
1YEL9WPYtVEz5heC55YZc2oKdSarJCTiU+N9X6ehvXfU2GpxDA6Fyhioyt+fwEq+
nLX5PUG2XlpPhcmt045XH6fXmcv59TbooHvLaWvjzbEFYaFmY40AZAwQ7Y90yorY
YSvdiK114Ch5qgKbZpDzZMhE/NQIzqkUAlS8Dm6LiPH49IVuQbHMQWvK6km0+SMx
f0sxTn6AraDRRvaKS4pKSfvZcjhZt9Zs6ZaZIqzEnLChN1lwf2x2yFGnYnvkUfjl
EG1AvMsCjmNyoqUWxktaaPn7mrOs3NG++/xMweteoPD0ilBLNTJLOhogeocsKA4j
jy/HBmYZPMRl6LmEo5/AxzPwkdvFD1Q84LTxg09MBQ3vEq0qi6ZO6UVViWYGbVjK
R688VP2hz2dFzrvR1dGAMhkKf3HwLbMUpDMdrr+Is0yCYWNGHiNqQ+o49ESpAl7e
Rp43fIZsOcE=
=AWDr
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sun, 09 Dec 2018 07:29:56 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:35:14 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.