curl: CVE-2018-14618: NTLM password overflow via integer overflow

Debian Bug report logs - #908327
curl: CVE-2018-14618: NTLM password overflow via integer overflow

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: curl: CVE-2018-14618: NTLM password overflow via integer overflow

Date: Sat, 08 Sep 2018 14:31:17 +0200

Source: curl
Version: 7.61.0-1
Severity: serious
Tags: security upstream
Justification: otherwise regression from stable for security fix
Forwarded: https://github.com/curl/curl/issues/2756
Control: found -1 7.52.1-1
Control: fixed -1 7.52.1-5+deb9u7

Hi,

The following vulnerability was published for curl. Justification for
the severity, is that it would otherwise imply a regression from
stable for a security fix.

CVE-2018-14618[0]:
| curl before version 7.61.1 is vulnerable to a buffer overrun in the
| NTLM authentication code. The internal function
| Curl_ntlm_core_mk_nt_hash multiplies the length of the password by two
| (SUM) to figure out how large temporary storage area to allocate from
| the heap. The length value is then subsequently used to iterate over
| the password and generate output into the allocated storage buffer. On
| systems with a 32 bit size_t, the math to calculate SUM triggers an
| integer overflow when the password length exceeds 2GB (2^31 bytes).
| This integer overflow usually causes a very small buffer to actually
| get allocated instead of the intended very huge one, making the use of
| that buffer end up in a heap buffer overflow. (This bug is almost
| identical to CVE-2017-8816.)

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-14618
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14618
[1] https://curl.haxx.se/docs/CVE-2018-14618.html
[2] https://github.com/curl/curl/issues/2756
[3] https://github.com/curl/curl/commit/57d299a499155d4b327e341c6024e293b0418243

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #16 received at 908327-close@bugs.debian.org (full text, mbox, reply):

From: Alessandro Ghedini <ghedo@debian.org>

To: 908327-close@bugs.debian.org

Subject: Bug#908327: fixed in curl 7.62.0-1

Date: Thu, 01 Nov 2018 00:34:23 +0000

Source: curl
Source-Version: 7.62.0-1

We believe that the bug you reported is fixed in the latest version of
curl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 908327@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Alessandro Ghedini <ghedo@debian.org> (supplier of updated curl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 31 Oct 2018 22:42:44 +0000
Source: curl
Binary: curl libcurl4 libcurl3-gnutls libcurl3-nss libcurl4-openssl-dev libcurl4-gnutls-dev libcurl4-nss-dev libcurl4-doc
Architecture: source
Version: 7.62.0-1
Distribution: unstable
Urgency: medium
Maintainer: Alessandro Ghedini <ghedo@debian.org>
Changed-By: Alessandro Ghedini <ghedo@debian.org>
Description:
 curl       - command line tool for transferring data with URL syntax
 libcurl3-gnutls - easy-to-use client-side URL transfer library (GnuTLS flavour)
 libcurl3-nss - easy-to-use client-side URL transfer library (NSS flavour)
 libcurl4   - easy-to-use client-side URL transfer library (OpenSSL flavour)
 libcurl4-doc - documentation for libcurl
 libcurl4-gnutls-dev - development files and documentation for libcurl (GnuTLS flavour)
 libcurl4-nss-dev - development files and documentation for libcurl (NSS flavour)
 libcurl4-openssl-dev - development files and documentation for libcurl (OpenSSL flavour)
Closes: 908327 911333
Changes:
 curl (7.62.0-1) unstable; urgency=medium
 .
   * New upstream release
     + Fix NTLM password overflow via integer overflow as per CVE-2018-14618
       (Closes: #908327) https://curl.haxx.se/docs/CVE-2018-14618.html
     + Fix SASL password overflow via integer overflow as per CVE-2018-16839
       https://curl.haxx.se/docs/CVE-2018-16839.html
     + Fix use-after-free in handle close as per CVE-2018-16840
       https://curl.haxx.se/docs/CVE-2018-16840.html
     + Fix warning message out-of-buffer read as per CVE-2018-16842
       https://curl.haxx.se/docs/CVE-2018-16842.html
     + Fix broken terminal output (closes: #911333)
   * Refresh patches
   * Add 12_fix-runtests-curl.patch to fix running curl in tests
Checksums-Sha1:
 8efa0e38e07dfc9e8f82661d376d145fc6c22eea 2687 curl_7.62.0-1.dsc
 0db6f8129e556fdb4257d7271942293b1b00889f 4045208 curl_7.62.0.orig.tar.gz
 7a706c600c2444e11b2018b8008ec1605046be4b 28764 curl_7.62.0-1.debian.tar.xz
 e850804c43dfcc796ac105ea9d9f5de657c5965f 11014 curl_7.62.0-1_amd64.buildinfo
Checksums-Sha256:
 9a95b882b900fa8c0f25b03befd8af3a2c6d4cdfe0ea72e3accfe9b1153f2aec 2687 curl_7.62.0-1.dsc
 55ccd5b5209f8cc53d4250e2a9fd87e6f67dd323ae8bd7d06b072cfcbb7836cb 4045208 curl_7.62.0.orig.tar.gz
 6c3574ad00b4d5811339d02275a75420263698b03d5d5bc39bfc7eece1c219bd 28764 curl_7.62.0-1.debian.tar.xz
 c780f5b3b4901eefcebad13fcc8bdd4c612732f51b953c35c23603054af81145 11014 curl_7.62.0-1_amd64.buildinfo
Files:
 038c1f0daf0967b57a4402dfe63d7ee3 2687 web optional curl_7.62.0-1.dsc
 e60dbe74a5907c16524ec06e8c787497 4045208 web optional curl_7.62.0.orig.tar.gz
 8a495147d30650ac1a6b8ba4ac391100 28764 web optional curl_7.62.0-1.debian.tar.xz
 b4af4c624664bbf55a3beae42ea0cc01 11014 web optional curl_7.62.0-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJFBAEBCgAvFiEEBsId305pBx+F583DbwzL4CFiRygFAlvaRAYRHGdoZWRvQGRl
Ymlhbi5vcmcACgkQbwzL4CFiRyjT/A//Tr0G2wqoMDe7p9rfmH9LV9U9iTrFdK2T
v5R6MWDRPROoaMIYhFJxRdft53exg0wtNv1xcafzCWjmq1eicUKLd3QscEobMOq7
Nhf86oL81JxPg3MgRkaPFXIxOqU3wra8KXKXkHs6g12h7gyJEQ26C4+caJkrbmoz
NN3sBH3NihlPhHCCZ1m4rRfssc5lT2u/NBHPhPcBtATXaMcCCgmjqLDHQd55LBCe
1YEL9WPYtVEz5heC55YZc2oKdSarJCTiU+N9X6ehvXfU2GpxDA6Fyhioyt+fwEq+
nLX5PUG2XlpPhcmt045XH6fXmcv59TbooHvLaWvjzbEFYaFmY40AZAwQ7Y90yorY
YSvdiK114Ch5qgKbZpDzZMhE/NQIzqkUAlS8Dm6LiPH49IVuQbHMQWvK6km0+SMx
f0sxTn6AraDRRvaKS4pKSfvZcjhZt9Zs6ZaZIqzEnLChN1lwf2x2yFGnYnvkUfjl
EG1AvMsCjmNyoqUWxktaaPn7mrOs3NG++/xMweteoPD0ilBLNTJLOhogeocsKA4j
jy/HBmYZPMRl6LmEo5/AxzPwkdvFD1Q84LTxg09MBQ3vEq0qi6ZO6UVViWYGbVjK
R688VP2hz2dFzrvR1dGAMhkKf3HwLbMUpDMdrr+Is0yCYWNGHiNqQ+o49ESpAl7e
Rp43fIZsOcE=
=AWDr
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.