CURL-CVE-2019-5481

Source
https://curl.se/docs/CVE-2019-5481.html
Import Source
https://curl.se/docs/CURL-CVE-2019-5481.json
JSON Data
https://api.osv.dev/v1/vulns/CURL-CVE-2019-5481
Aliases
Published
2019-09-11T08:00:00Z
Modified
2024-06-07T13:53:51Z
Summary
FTP-KRB double free
Details

libcurl can be told to use kerberos over FTP to a server, as set with the CURLOPT_KRBLEVEL option.

During such kerberos FTP data transfer, the server sends data to curl in blocks with the 32 bit size of each block first and then that amount of data immediately following.

A malicious or just broken server can claim to send a very large block and if by doing that it makes curl's subsequent call to realloc() to fail, curl would then misbehave in the exit path and double free the memory.

In practical terms, an up to 4 GB memory area may very well be fine to allocate on a modern 64 bit system but on 32 bit systems it fails.

Kerberos FTP is a rarely used protocol with curl. Also, Kerberos authentication is usually only attempted and used with servers that the client has a previous association with.

Database specific
{
    "CWE": {
        "id": "CWE-415",
        "desc": "Double Free"
    },
    "award": {
        "amount": "200",
        "currency": "USD"
    },
    "URL": "https://curl.se/docs/CVE-2019-5481.json",
    "package": "curl",
    "severity": "Medium",
    "issue": "https://hackerone.com/reports/686823",
    "www": "https://curl.se/docs/CVE-2019-5481.html",
    "last_affected": "7.65.3"
}
References
Credits
    • Thomas Vegas - FINDER
    • Daniel Stenberg - REMEDIATION_DEVELOPER

Affected packages

Git / github.com/curl/curl.git

Affected ranges

Type
SEMVER
Events
Introduced
7.52.0
Fixed
7.66.0
Type
GIT
Repo
https://github.com/curl/curl.git
Events

Affected versions

7.*

7.52.0
7.52.1
7.53.0
7.53.1
7.54.0
7.54.1
7.55.0
7.55.1
7.56.0
7.56.1
7.57.0
7.58.0
7.59.0
7.60.0
7.61.0
7.61.1
7.62.0
7.63.0
7.64.0
7.64.1
7.65.0
7.65.1
7.65.2
7.65.3