CVE-2018-14618

Priority
Description
curl before version 7.61.1 is vulnerable to a buffer overrun in the NTLM
authentication code. The internal function Curl_ntlm_core_mk_nt_hash
multiplies the length of the password by two (SUM) to figure out how large
temporary storage area to allocate from the heap. The length value is then
subsequently used to iterate over the password and generate output into the
allocated storage buffer. On systems with a 32 bit size_t, the math to
calculate SUM triggers an integer overflow when the password length exceeds
2GB (2^31 bytes). This integer overflow usually causes a very small buffer
to actually get allocated instead of the intended very huge one, making the
use of that buffer end up in a heap buffer overflow. (This bug is almost
identical to CVE-2017-8816.)
Assigned-to
leosilva
Package
Source: curl (LP Ubuntu Debian)
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):released (7.22.0-3ubuntu4.23)
Ubuntu 14.04 LTS (Trusty Tahr):released (7.35.0-1ubuntu2.17)
Ubuntu 16.04 LTS (Xenial Xerus):released (7.47.0-1ubuntu2.9)
Ubuntu 18.04 LTS (Bionic Beaver):released (7.58.0-2ubuntu3.3)
Ubuntu 18.10 (Cosmic Cuttlefish):released (7.61.0-1ubuntu1)
Patches:
Other:https://github.com/curl/curl/commit/57d299a499155d4b327e341c6024e293b0418243
More Information

Updated: 2018-10-31 21:27:54 UTC (commit cfa7cf69d76449ccff972ac22f40976a08d908c2)