CVE-2019-3823 log
| Source |
|
| Severity | High |
| Remote | Yes |
| Type | Arbitrary code execution |
| Description | libcurl versions from 7.34.0 to before 7.64.0 are vulnerable to a heap out-of-bounds read in the code handling the end-of-response for SMTP. If the buffer passed to `smtp_endofresp()` isn't NUL terminated and contains no character ending the parsed number, and `len` is set to 5, then the `strtol()` call reads beyond the allocated buffer. The read contents will not be returned to the caller. |
| Group | Package | Affected | Fixed | Severity | Status | Ticket |
|---|---|---|---|---|---|---|
| AVG-877 | libcurl-gnutls | 7.63.0-2 | 7.64.0-1 | High | Fixed | |
| AVG-876 | lib32-libcurl-gnutls | 7.63.0-2 | 7.64.0-1 | High | Fixed | |
| AVG-875 | lib32-libcurl-compat | 7.63.0-2 | 7.64.0-1 | High | Fixed | |
| AVG-874 | lib32-curl | 7.63.0-2 | 7.64.0-1 | High | Fixed | |
| AVG-873 | curl | 7.63.0-4 | 7.64.0-1 | High | Fixed |
| Date | Advisory | Group | Package | Severity | Type |
|---|---|---|---|---|---|
| 12 Feb 2019 | ASA-201902-9 | AVG-873 | curl | High | arbitrary code execution |
| 12 Feb 2019 | ASA-201902-13 | AVG-874 | lib32-curl | High | arbitrary code execution |
| 12 Feb 2019 | ASA-201902-12 | AVG-875 | lib32-libcurl-compat | High | arbitrary code execution |
| 12 Feb 2019 | ASA-201902-11 | AVG-876 | lib32-libcurl-gnutls | High | arbitrary code execution |
| 12 Feb 2019 | ASA-201902-10 | AVG-877 | libcurl-gnutls | High | arbitrary code execution |
| References |
|---|
https://curl.haxx.se/docs/CVE-2019-3823.html https://github.com/curl/curl/commit/39df4073e5413fcdbb5a38da0c1ce6f1c0ceb484 |