CVE-2019-5436

medium

Published 2020-04-28 · Modified 2020-04-28

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

5.5

Description

A heap buffer overflow in the TFTP receiving code allows for DoS or arbitrary code execution in libcurl versions 7.19.4 through 7.64.1.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

Mitigation details

Source: Red Hat Errata — Red Hat Inc. · View original ↗ · Open-Errata-API

Description curl: TFTP receive heap buffer overflow in tftp_receive_packet() function Red Hat statement This flaw exists if the user selects to use a "blksize" of 504 or smaller (default is 512). The smaller size that is used, the larger the possible overflow becomes. Users choosing a smaller size than default should be rare as the primary use case for changing the size is to make it larger. It…

Description

curl: TFTP receive heap buffer overflow in tftp_receive_packet() function

Red Hat statement

This flaw exists if the user selects to use a "blksize" of 504 or smaller (default is 512). The smaller size that is used, the larger the possible overflow becomes. Users choosing a smaller size than default should be rare as the primary use case for changing the size is to make it larger. It is rare for users to use TFTP across the Internet. It is most commonly used within local networks.

CVSS v3: 7.0 (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)

Errata / fixed releases

Product	Package	Advisory	Released
JBoss Core Services Apache HTTP Server 2.4.29 SP2		RHSA-2019:1543	2019-06-18T00:00:00Z
Red Hat Ansible Tower 3.5 for RHEL 7	`ansible-tower-35/ansible-tower:3.5.6-1`	RHBA-2020:1539	2020-04-22T00:00:00Z
Red Hat Ansible Tower 3.6 for RHEL 7	`ansible-tower-36/ansible-tower:3.6.4-1`	RHBA-2020:1540	2020-04-22T00:00:00Z
Red Hat Enterprise Linux 7	`curl-0:7.29.0-57.el7`	RHSA-2020:1020	2020-03-31T00:00:00Z
Red Hat Enterprise Linux 7.7 Extended Update Support	`curl-0:7.29.0-54.el7_7.3`	RHSA-2020:2505	2020-06-12T00:00:00Z
Red Hat Enterprise Linux 8	`curl-0:7.61.1-12.el8`	RHSA-2020:1792	2020-04-28T00:00:00Z

Package state

Product	Package	State
.NET Core 1.0 on Red Hat Enterprise Linux	`rh-dotnetcore10-curl`	Not affected
.NET Core 1.1 on Red Hat Enterprise Linux	`rh-dotnetcore11-curl`	Not affected
.NET Core 2.1 on Red Hat Enterprise Linux	`rh-dotnet21-curl`	Not affected
.NET Core 2.2 on Red Hat Enterprise Linux	`rh-dotnet22-curl`	Not affected
Red Hat Enterprise Linux 5	`curl`	Not affected
Red Hat Enterprise Linux 6	`curl`	Will not fix
Red Hat JBoss Core Services	`jbcs-httpd24-curl`	Affected
Red Hat JBoss Web Server 5	`curl`	Not affected
Red Hat Software Collections	`httpd24-curl`	Fix deferred

Apply commands

bash fix

Apply RHBA-2020:1539 for Red Hat Ansible Tower 3.5 for RHEL 7

yum update -y ansible-tower
# or:
dnf upgrade -y ansible-tower

Affected

Vendor	Product	Version
redhat	.NET Core 1.0 on Red Hat Enterprise Linux	`Not affected`
redhat	.NET Core 1.1 on Red Hat Enterprise Linux	`Not affected`
redhat	.NET Core 2.1 on Red Hat Enterprise Linux	`Not affected`
redhat	.NET Core 2.2 on Red Hat Enterprise Linux	`Not affected`
redhat	Red Hat Enterprise Linux 5	`Not affected`
redhat	Red Hat JBoss Core Services	`Affected`
redhat	Red Hat JBoss Web Server 5	`Not affected`

OS impact

SUSE Affected 1 release

Version	Status	Fixed in
—	Affected	—

Arch Fixed 1 release

Version	Status	Fixed in
—	Fixed	`7.65.0-1`

Debian Fixed 5 releases

Version	Status	Fixed in
trixie	Fixed	`7.64.0-4`
sid	Fixed	`7.64.0-4`
forky	Fixed	`7.64.0-4`
bullseye	Fixed	`7.64.0-4`
bookworm	Fixed	`7.64.0-4`

Red Hat Fixed 1 release

Version	Status	Fixed in
8	Fixed	—

References

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.