NTLM type-2 out-of-bounds buffer read =====================================
Project curl Security Advisory, February 6th 2019 - [Permalink](https://curl.haxx.se/docs/CVE-2018-16890.html) VULNERABILITY ------------- libcurl contains a heap buffer out-of-bounds read flaw. The function handling incoming NTLM type-2 messages (`lib/vauth/ntlm.c:ntlm_decode_type2_target`) does not validate incoming data correctly and is subject to an integer overflow vulnerability. Using that overflow, a malicious or broken NTLM server could trick libcurl to accept a bad length + offset combination that would lead to a buffer read out-of-bounds. We are not aware of any exploit of this flaw. INFO ---- This bug was introduced in [commit 86724581b6c](https://github.com/curl/curl/commit/86724581b6c), January 2014. The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2018-16890 to this issue. CWE-125: Out-of-bounds Read Severity: 5.3 (Medium) AFFECTED VERSIONS ----------------- - Affected versions: libcurl 7.36.0 to and including 7.63.0 - Not affected versions: libcurl < 7.36.0 and >= 7.64.0 libcurl is used by many applications, but not always advertised as such. THE SOLUTION ------------ A [patch for CVE-2018-16890](https://github.com/curl/curl/commit/b780b30d1377adb10bbe774835f49e9b237fb9bb) RECOMMENDATIONS --------------- We suggest you take one of the following actions immediately, in order of preference: A - Upgrade curl to version 7.64.0 B - Apply the patch to your version and rebuild C - Turn off NTLM authentication TIME LINE --------- It was reported to the curl project on December 30, 2018. We contacted distros@openwall on January 28. curl 7.64.0 was released on February 6 2019, coordinated with the publication of this advisory. CREDITS ------- Reported by Wenxiang Qian of Tencent Blade Team. Patch by Daniel Stenberg. Thanks a lot! -- / daniel.haxx.se ------------------------------------------------------------------- Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.html
