CURL-CVE-2019-5481

See a problem?
Source
https://curl.se/docs/CVE-2019-5481.html
Import Source
https://curl.se/docs/CURL-CVE-2019-5481.json
JSON Data
https://api.osv.dev/v1/vulns/CURL-CVE-2019-5481
Aliases
Published
2019-09-11T08:00:00Z
Modified
2024-06-07T13:53:51Z
Summary
FTP-KRB double free
Details

libcurl can be told to use kerberos over FTP to a server, as set with the CURLOPT_KRBLEVEL option.

During such kerberos FTP data transfer, the server sends data to curl in blocks with the 32 bit size of each block first and then that amount of data immediately following.

A malicious or just broken server can claim to send a very large block and if by doing that it makes curl's subsequent call to realloc() to fail, curl would then misbehave in the exit path and double free the memory.

In practical terms, an up to 4 GB memory area may very well be fine to allocate on a modern 64 bit system but on 32 bit systems it fails.

Kerberos FTP is a rarely used protocol with curl. Also, Kerberos authentication is usually only attempted and used with servers that the client has a previous association with.

References
Credits
    • Thomas Vegas - FINDER
    • Daniel Stenberg - REMEDIATION_DEVELOPER

Affected packages

Git / github.com/curl/curl.git

Affected ranges

Type
SEMVER
Events
Introduced
7.52.0
Fixed
7.66.0
Type
GIT
Repo
https://github.com/curl/curl.git
Events
Introduced
0649433da53c7165f839e24e889e131e2894dd32
Fixed
9069838b30fb3b48af0123e39f664cea683254a5

Affected versions

7.*

7.52.0
7.52.1
7.53.0
7.53.1
7.54.0
7.54.1
7.55.0
7.55.1
7.56.0
7.56.1
7.57.0
7.58.0
7.59.0
7.60.0
7.61.0
7.61.1
7.62.0
7.63.0
7.64.0
7.64.1
7.65.0
7.65.1
7.65.2
7.65.3