Subject: [ASA-201905-13] lib32-libcurl-gnutls: arbitrary code execution Arch Linux Security Advisory ASA-201905-13 ========================================== Severity: High Date : 2019-05-31 CVE-ID : CVE-2019-5435 CVE-2019-5436 Package : lib32-libcurl-gnutls Type : arbitrary code execution Remote : Yes Link : https://security.archlinux.org/AVG-961 Summary ======= The package lib32-libcurl-gnutls before version 7.65.0-1 is vulnerable to arbitrary code execution. Resolution ========== Upgrade to 7.65.0-1. # pacman -Syu "lib32-libcurl-gnutls>=7.65.0-1" The problems have been fixed upstream in version 7.65.0. Workaround ========== None. Description =========== - CVE-2019-5435 (arbitrary code execution) libcurl before 7.65.0 contains two integer overflows in the curl_url_set() function that if triggered, can lead to a too small buffer allocation and a subsequent heap buffer overflow. The flaws only exist on 32 bit architectures and require excessive string input lengths. - CVE-2019-5436 (arbitrary code execution) libcurl before 7.65.0 contains a heap buffer overflow in the function (tftp_receive_packet()) that receives data from a TFTP server. It calls recvfrom() with the default size for the buffer rather than with the size that was used to allocate it. Thus, the content that might overwrite the heap memory is entirely controlled by the server. The flaw exists if the user selects to use a "blksize" of 504 or smaller (default is 512). The smaller size that is used, the larger the possible overflow becomes. Users choosing a smaller size than default should be rare as the primary use case for changing the size is to make it larger. Impact ====== A malicious TFTP server can execute arbitrary code on the affected host. A remote attacker can execute arbitrary code on the affected host via a crafted URL part of excessive length. References ========== https://curl.haxx.se/docs/CVE-2019-5435.html https://curl.haxx.se/docs/CVE-2019-5436.html https://github.com/curl/curl/commit/5fc28510a4664f4 https://github.com/curl/curl/commit/2576003415625d7b5f0e390902f8097830b82275 https://security.archlinux.org/CVE-2019-5435 https://security.archlinux.org/CVE-2019-5436