Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 677346 (CVE-2018-16890, CVE-2019-3822, CVE-2019-3823) - <net-misc/curl-7.64.0 - multiple vulnerabilities (CVE-2019-{3822,3823})
Summary: <net-misc/curl-7.64.0 - multiple vulnerabilities (CVE-2019-{3822,3823})
Alias: CVE-2018-16890, CVE-2019-3822, CVE-2019-3823
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: A2 [glsa+ cve]
Depends on:
Reported: 2019-02-06 08:02 UTC by Jeroen Roovers (RETIRED)
Modified: 2019-03-10 19:49 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---
stable-bot: sanity-check+


Note You need to log in before you can comment on or make changes to this bug.
Description Jeroen Roovers (RETIRED) gentoo-dev 2019-02-06 08:02:10 UTC
CVE-2018-16890: NTLM type-2 out-of-bounds buffer read
CVE-2019-3822: NTLMv2 type-3 header stack buffer overflow
CVE-2019-3823: SMTP end-of-response out-of-bounds read
Comment 1 Anthony Basile gentoo-dev 2019-02-06 12:41:36 UTC
I added curl-7.64.0 to the tree and did preliminary testing.  Its good for rapid stabilization.

EYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Comment 2 Rolf Eike Beer archtester 2019-02-06 23:09:27 UTC
sparc stable
Comment 3 Larry the Git Cow gentoo-dev 2019-02-07 12:31:42 UTC
The bug has been referenced in the following commit(s):

commit 07a5c573d80db48a01a46d12f7e7788232e2f1b5
Author:     Tobias Klausmann <>
AuthorDate: 2019-02-07 12:31:04 +0000
Commit:     Tobias Klausmann <>
CommitDate: 2019-02-07 12:31:19 +0000

    net-misc/curl-7.64.0-r0: alpha stable
    Signed-off-by: Tobias Klausmann <>

 net-misc/curl/curl-7.64.0.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 4 Mart Raudsepp gentoo-dev 2019-02-07 13:30:38 UTC
arm64 stable
Comment 5 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-02-07 16:44:19 UTC
amd64 stable
Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev 2019-02-09 18:37:45 UTC
x86 stable
Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev 2019-02-09 20:01:26 UTC
ia64 stable
Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev 2019-02-09 20:02:39 UTC
hppa stable
Comment 9 Sergei Trofimovich (RETIRED) gentoo-dev 2019-02-12 21:26:36 UTC
ppc64 stable
Comment 10 Sergei Trofimovich (RETIRED) gentoo-dev 2019-02-12 21:30:06 UTC
ppc stable
Comment 11 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-02-13 11:52:56 UTC
sh stable
Comment 12 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-02-13 11:54:36 UTC
arm stable
Comment 13 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-02-13 11:56:05 UTC
m68k stable
Comment 14 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-02-13 11:57:38 UTC
s390 stable
Comment 15 Markus Meier gentoo-dev 2019-02-13 19:10:12 UTC
arm stable, all arches done.
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2019-03-05 01:19:06 UTC
CVE-2019-3823 (
  libcurl versions from 7.34.0 to before 7.64.0 are vulnerable to a heap
  out-of-bounds read in the code handling the end-of-response for SMTP. If the
  buffer passed to `smtp_endofresp()` isn't NUL terminated and contains no
  character ending the parsed number, and `len` is set to 5, then the
  `strtol()` call reads beyond the allocated buffer. The read contents will
  not be returned to the caller.

CVE-2019-3822 (
  libcurl versions from 7.36.0 to before 7.64.0 are vulnerable to a
  stack-based buffer overflow. The function creating an outgoing NTLM type-3
  header (`lib/vauth/ntlm.c:Curl_auth_create_ntlm_type3_message()`), generates
  the request HTTP header contents based on previously received data. The
  check that exists to prevent the local buffer from getting overflowed is
  implemented wrongly (using unsigned math) and as such it does not prevent
  the overflow from happening. This output data can grow larger than the local
  buffer if very large 'nt response' data is extracted from a previous NTLMv2
  header provided by the malicious or broken HTTP server. Such a 'large value'
  needs to be around 1000 bytes or more. The actual payload data copied to the
  target buffer comes from the NTLMv2 type-2 response header.
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2019-03-10 19:49:16 UTC
This issue was resolved and addressed in
 GLSA 201903-03 at
by GLSA coordinator Aaron Bauman (b-man).