CURL-CVE-2018-16890

See a problem?
Please try reporting it to the source first.

Source

https://curl.se/docs/CVE-2018-16890.html

Import Source

https://curl.se/docs/CURL-CVE-2018-16890.json

JSON Data

https://api.test.osv.dev/v1/vulns/CURL-CVE-2018-16890

Aliases

CVE-2018-16890

Published

2019-02-06T08:00:00Z

Modified

2024-01-16T03:42:46.913879Z

Summary

NTLM type-2 out-of-bounds buffer read

Details

libcurl contains a heap buffer out-of-bounds read flaw.

The function handling incoming NTLM type-2 messages (lib/vauth/ntlm.c:ntlm_decode_type2_target) does not validate incoming data correctly and is subject to an integer overflow vulnerability.

Using that overflow, a malicious or broken NTLM server could trick libcurl to accept a bad length + offset combination that would lead to a buffer read out-of-bounds.

Database specific

{
    "last_affected": "7.63.0",
    "severity": "Medium",
    "affects": "both",
    "CWE": {
        "desc": "Out-of-bounds Read",
        "id": "CWE-125"
    },
    "URL": "https://curl.se/docs/CVE-2018-16890.json",
    "www": "https://curl.se/docs/CVE-2018-16890.html",
    "package": "curl"
}

References

Credits

- Wenxiang Qian of Tencent Blade Team - FINDER
- Daniel Stenberg - REMEDIATION_DEVELOPER

Affected packages

Git / github.com/curl/curl.git

Affected ranges

Type: SEMVER
Events: Introduced

7.36.0

Fixed

7.64.0

Type: GIT
Repo: https://github.com/curl/curl.git
Events: Introduced

86724581b6c02d160b52f817550cfdfc9c93af62

Fixed

b780b30d1377adb10bbe774835f49e9b237fb9bb

Affected versions

7.*

7.36.0

7.37.0

7.37.1

7.38.0

7.39.0

7.40.0

7.41.0

7.42.0

7.42.1

7.43.0

7.44.0

7.45.0

7.46.0

7.47.0

7.47.1

7.48.0

7.49.0

7.49.1

7.50.0

7.50.1

7.50.2

7.50.3

7.51.0

7.52.0

7.52.1

7.53.0

7.53.1

7.54.0

7.54.1

7.55.0

7.55.1

7.56.0

7.56.1

7.57.0

7.58.0

7.59.0

7.60.0

7.61.0

7.61.1

7.62.0

7.63.0

Database specific

{
    "vanir_signatures": [
        {
            "target": {
                "file": "lib/vauth/ntlm.c"
            },
            "digest": {
                "line_hashes": [
                    "12728682252783882915865415916745410219",
                    "260038441391679011891052480260443053264",
                    "304498700439191242831503511784071893196",
                    "248163854096766719562619899192948860617",
                    "258592839919068071494480859323354185920",
                    "65831133836082554303220208869811168717",
                    "5459699787853170582943844525295317240",
                    "40134995311612953874905870103359729622"
                ],
                "threshold": 0.9
            },
            "signature_version": "v1",
            "id": "CURL-CVE-2018-16890-10e9b890",
            "source": "https://github.com/curl/curl.git/commit/b780b30d1377adb10bbe774835f49e9b237fb9bb",
            "signature_type": "Line",
            "deprecated": false
        },
        {
            "target": {
                "file": "lib/vauth/ntlm.c",
                "function": "ntlm_decode_type2_target"
            },
            "digest": {
                "length": 767.0,
                "function_hash": "167555698249115182477771298620459297773"
            },
            "signature_version": "v1",
            "id": "CURL-CVE-2018-16890-a78e5ad3",
            "source": "https://github.com/curl/curl.git/commit/b780b30d1377adb10bbe774835f49e9b237fb9bb",
            "signature_type": "Function",
            "deprecated": false
        }
    ]
}