libcurl versions from 7.36.0 to before 7.64.0 is vulnerable to a heap buffer out-of-bounds read.

[hucarxiao]

Version latest

What is the security issue or vulnerability? /curl/lib/transfer.c libcurl versions from 7.36.0 to before 7.64.0 is vulnerable to a heap buffer out-of-bounds read. The function handling incoming NTLM type-2 messages (lib/vauth/ntlm.c:ntlm_decode_type2_target) does not validate incoming data correctly and is subject to an integer overflow vulnerability. Using that overflow, a malicious or broken NTLM server could trick libcurl to accept a bad length + offset combination that would lead to a buffer read out-of-bounds.

start from 183line : if(((target_info_offset + target_info_len) > size) ||

Security issue or vulnerability information description: https://nvd.nist.gov/vuln/detail/CVE-2018-16890

commit:https://github.com/MrE-Fog/curlzzz/commit/b780b30d1377adb10bbe774835f49e9b237fb9bb

Could you apply for another new CVE and fix it?

NTLM: fix size check condition for type2 received data Bug: https://curl.haxx.se/docs/CVE-2018-16890.html Reported-by: Wenxiang Qian https://github.com/advisories/GHSA-53fg-3j53-939q