Arch Linux Security Advisory ASA-201905-16 ========================================== Severity: High Date : 2019-05-31 CVE-ID : CVE-2019-5436 Package : curl Type : arbitrary code execution Remote : Yes Link : https://security.archlinux.org/AVG-964 Summary ======= The package curl before version 7.65.0-1 is vulnerable to arbitrary code execution. Resolution ========== Upgrade to 7.65.0-1. # pacman -Syu "curl>=7.65.0-1" The problem has been fixed upstream in version 7.65.0. Workaround ========== None. Description =========== libcurl before 7.65.0 contains a heap buffer overflow in the function (tftp_receive_packet()) that receives data from a TFTP server. It calls recvfrom() with the default size for the buffer rather than with the size that was used to allocate it. Thus, the content that might overwrite the heap memory is entirely controlled by the server. The flaw exists if the user selects to use a "blksize" of 504 or smaller (default is 512). The smaller size that is used, the larger the possible overflow becomes. Users choosing a smaller size than default should be rare as the primary use case for changing the size is to make it larger. Impact ====== A malicious TFTP server can execute arbitrary code on the affected host. References ========== https://curl.haxx.se/docs/CVE-2019-5436.html https://github.com/curl/curl/commit/2576003415625d7b5f0e390902f8097830b82275 https://security.archlinux.org/CVE-2019-5436