diff options
| author | Sunpoet Po-Chuan Hsieh <sunpoet@FreeBSD.org> | 2019-02-07 23:14:47 +0000 |
|---|---|---|
| committer | Sunpoet Po-Chuan Hsieh <sunpoet@FreeBSD.org> | 2019-02-07 23:14:47 +0000 |
| commit | 68921903496556d08b029e4322b3e97037982a9d (patch) | |
| tree | 16e622b0b16e150ba0736535e60fe38ba10c8478 | |
| parent | f531915484781807aafec87e59a21086b16efa95 (diff) | |
| download | ports-68921903496556d08b029e4322b3e97037982a9d.tar.gz ports-68921903496556d08b029e4322b3e97037982a9d.zip | |
Notes
| -rw-r--r-- | security/vuxml/vuln.xml | 59 |
1 files changed, 59 insertions, 0 deletions
diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index 7579695516a5..0c70a64dc236 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -58,6 +58,65 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> + <vuln vid="714b033a-2b09-11e9-8bc3-610fd6e6cd05"> + <topic>curl -- multiple vulnerabilities</topic> + <affects> + <package> + <name>curl</name> + <range><lt>7.64.0</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>curl security problems:</p> + <blockquote cite="https://curl.haxx.se/docs/security.html"> + <p>CVE-2018-16890: NTLM type-2 out-of-bounds buffer read</p> + <p>libcurl contains a heap buffer out-of-bounds read flaw.</p> + <p>The function handling incoming NTLM type-2 messages + (lib/vauth/ntlm.c:ntlm_decode_type2_target) does not validate incoming + data correctly and is subject to an integer overflow vulnerability.</p> + <p>Using that overflow, a malicious or broken NTLM server could trick + libcurl to accept a bad length + offset combination that would lead to a + buffer read out-of-bounds.</p> + <p>CVE-2019-3822: NTLMv2 type-3 header stack buffer overflow</p> + <p>libcurl contains a stack based buffer overflow vulnerability.</p> + <p>The function creating an outgoing NTLM type-3 header + (lib/vauth/ntlm.c:Curl_auth_create_ntlm_type3_message()), generates the + request HTTP header contents based on previously received data. The + check that exists to prevent the local buffer from getting overflowed is + implemented wrongly (using unsigned math) and as such it does not + prevent the overflow from happening.</p> + <p>This output data can grow larger than the local buffer if very large + "nt response" data is extracted from a previous NTLMv2 header provided + by the malicious or broken HTTP server.</p> + <p>Such a "large value" needs to be around 1000 bytes or more. The actual + payload data copied to the target buffer comes from the NTLMv2 type-2 + response header.</p> + <p>CVE-2019-3823: SMTP end-of-response out-of-bounds read</p> + <p>libcurl contains a heap out-of-bounds read in the code handling the + end-of-response for SMTP.</p> + <p>If the buffer passed to smtp_endofresp() isn't NUL terminated and + contains no character ending the parsed number, and len is set to 5, + then the strtol() call reads beyond the allocated buffer. The read + contents will not be returned to the caller.</p> + </blockquote> + </body> + </description> + <references> + <url>https://curl.haxx.se/docs/security.html</url> + <url>https://curl.haxx.se/docs/CVE-2018-16890.html</url> + <url>https://curl.haxx.se/docs/CVE-2019-3822.html</url> + <url>https://curl.haxx.se/docs/CVE-2019-3823.html</url> + <cvename>CVE-2018-16890</cvename> + <cvename>CVE-2019-3822</cvename> + <cvename>CVE-2019-3823</cvename> + </references> + <dates> + <discovery>2019-02-07</discovery> + <entry>2019-02-07</entry> + </dates> + </vuln> + <vuln vid="43ee6c1d-29ee-11e9-82a1-001b217b3468"> <topic>Gitlab -- Multiple vulnerabilities</topic> <affects> |