UBUNTU-CVE-2019-3823

See a problem?

Source

https://ubuntu.com/security/notices/UBUNTU-CVE-2019-3823

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2019/UBUNTU-CVE-2019-3823.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2019-3823

Related

Published

2019-02-06T00:00:00Z

Modified

2019-02-06T00:00:00Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

[none]

Details

libcurl versions from 7.34.0 to before 7.64.0 are vulnerable to a heap out-of-bounds read in the code handling the end-of-response for SMTP. If the buffer passed to smtp_endofresp() isn't NUL terminated and contains no character ending the parsed number, and len is set to 5, then the strtol() call reads beyond the allocated buffer. The read contents will not be returned to the caller.

References

Affected packages

Ubuntu:14.04:LTS / curl

Package

Name: curl
Purl: pkg:deb/ubuntu/curl@7.35.0-1ubuntu2.20?arch=src?distro=trusty

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

7.35.0-1ubuntu2.20

Affected versions

7.*

7.32.0-1ubuntu1

7.33.0-1ubuntu1

7.34.0-1ubuntu1

7.35.0-1ubuntu1

7.35.0-1ubuntu2

7.35.0-1ubuntu2.1

7.35.0-1ubuntu2.2

7.35.0-1ubuntu2.3

7.35.0-1ubuntu2.5

7.35.0-1ubuntu2.6

7.35.0-1ubuntu2.7

7.35.0-1ubuntu2.8

7.35.0-1ubuntu2.9

7.35.0-1ubuntu2.10

7.35.0-1ubuntu2.11

7.35.0-1ubuntu2.12

7.35.0-1ubuntu2.13

7.35.0-1ubuntu2.14

7.35.0-1ubuntu2.15

7.35.0-1ubuntu2.16

7.35.0-1ubuntu2.17

7.35.0-1ubuntu2.19

Ecosystem specific

{
    "availability": "No subscription required",
    "ubuntu_priority": "low",
    "binaries": [
        {
            "curl-udeb": "7.35.0-1ubuntu2.20",
            "libcurl3": "7.35.0-1ubuntu2.20",
            "libcurl4-gnutls-dev": "7.35.0-1ubuntu2.20",
            "libcurl3-dbgsym": "7.35.0-1ubuntu2.20",
            "libcurl3-nss": "7.35.0-1ubuntu2.20",
            "libcurl4-doc": "7.35.0-1ubuntu2.20",
            "libcurl3-udeb-dbgsym": "7.35.0-1ubuntu2.20",
            "libcurl3-gnutls-dbgsym": "7.35.0-1ubuntu2.20",
            "libcurl4-openssl-dev": "7.35.0-1ubuntu2.20",
            "libcurl4-openssl-dev-dbgsym": "7.35.0-1ubuntu2.20",
            "curl-dbgsym": "7.35.0-1ubuntu2.20",
            "curl": "7.35.0-1ubuntu2.20",
            "libcurl3-udeb": "7.35.0-1ubuntu2.20",
            "curl-udeb-dbgsym": "7.35.0-1ubuntu2.20",
            "libcurl4-nss-dev-dbgsym": "7.35.0-1ubuntu2.20",
            "libcurl3-gnutls": "7.35.0-1ubuntu2.20",
            "libcurl4-gnutls-dev-dbgsym": "7.35.0-1ubuntu2.20",
            "libcurl3-nss-dbgsym": "7.35.0-1ubuntu2.20",
            "libcurl3-dbg": "7.35.0-1ubuntu2.20",
            "libcurl4-nss-dev": "7.35.0-1ubuntu2.20"
        }
    ]
}

Ubuntu:16.04:LTS / curl

Package

Name: curl
Purl: pkg:deb/ubuntu/curl@7.47.0-1ubuntu2.12?arch=src?distro=xenial

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

7.47.0-1ubuntu2.12

Affected versions

7.*

7.43.0-1ubuntu2

7.45.0-1ubuntu1

7.46.0-1ubuntu1

7.47.0-1ubuntu1

7.47.0-1ubuntu2

7.47.0-1ubuntu2.1

7.47.0-1ubuntu2.2

7.47.0-1ubuntu2.3

7.47.0-1ubuntu2.4

7.47.0-1ubuntu2.5

7.47.0-1ubuntu2.6

7.47.0-1ubuntu2.7

7.47.0-1ubuntu2.8

7.47.0-1ubuntu2.9

7.47.0-1ubuntu2.11

Ecosystem specific

{
    "availability": "No subscription required",
    "ubuntu_priority": "low",
    "binaries": [
        {
            "libcurl3": "7.47.0-1ubuntu2.12",
            "libcurl4-gnutls-dev": "7.47.0-1ubuntu2.12",
            "libcurl3-dbgsym": "7.47.0-1ubuntu2.12",
            "libcurl3-nss": "7.47.0-1ubuntu2.12",
            "libcurl4-doc": "7.47.0-1ubuntu2.12",
            "libcurl3-gnutls-dbgsym": "7.47.0-1ubuntu2.12",
            "libcurl4-openssl-dev": "7.47.0-1ubuntu2.12",
            "libcurl4-openssl-dev-dbgsym": "7.47.0-1ubuntu2.12",
            "curl-dbgsym": "7.47.0-1ubuntu2.12",
            "curl": "7.47.0-1ubuntu2.12",
            "libcurl4-nss-dev-dbgsym": "7.47.0-1ubuntu2.12",
            "libcurl3-gnutls": "7.47.0-1ubuntu2.12",
            "libcurl4-gnutls-dev-dbgsym": "7.47.0-1ubuntu2.12",
            "libcurl3-nss-dbgsym": "7.47.0-1ubuntu2.12",
            "libcurl3-dbg": "7.47.0-1ubuntu2.12",
            "libcurl4-nss-dev": "7.47.0-1ubuntu2.12"
        }
    ]
}

Ubuntu:18.04:LTS / curl

Package

Name: curl
Purl: pkg:deb/ubuntu/curl@7.58.0-2ubuntu3.6?arch=src?distro=bionic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

7.58.0-2ubuntu3.6

Affected versions

7.*

7.55.1-1ubuntu2

7.55.1-1ubuntu2.1

7.57.0-1ubuntu1

7.58.0-2ubuntu1

7.58.0-2ubuntu2

7.58.0-2ubuntu3

7.58.0-2ubuntu3.1

7.58.0-2ubuntu3.2

7.58.0-2ubuntu3.3

7.58.0-2ubuntu3.5

Ecosystem specific

{
    "availability": "No subscription required",
    "ubuntu_priority": "low",
    "binaries": [
        {
            "curl-dbgsym": "7.58.0-2ubuntu3.6",
            "curl": "7.58.0-2ubuntu3.6",
            "libcurl4": "7.58.0-2ubuntu3.6",
            "libcurl4-gnutls-dev": "7.58.0-2ubuntu3.6",
            "libcurl4-dbgsym": "7.58.0-2ubuntu3.6",
            "libcurl3-nss": "7.58.0-2ubuntu3.6",
            "libcurl4-doc": "7.58.0-2ubuntu3.6",
            "libcurl3-nss-dbgsym": "7.58.0-2ubuntu3.6",
            "libcurl3-gnutls": "7.58.0-2ubuntu3.6",
            "libcurl3-gnutls-dbgsym": "7.58.0-2ubuntu3.6",
            "libcurl4-openssl-dev": "7.58.0-2ubuntu3.6",
            "libcurl4-nss-dev": "7.58.0-2ubuntu3.6"
        }
    ]
}