SB2019091159 - Double Free in gnurl (Alpine package)
Published: September 11, 2019
Security Bulletin ID
SB2019091159
CSH Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Partial DoS
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Double Free (CVE-ID: CVE-2019-5481)
CWE-ID: CWE-415 - Double Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to perform denial of service (DoS) attack.
The vulnerability exists due to a boundary error when processing very large blocks during Kerberos FTP data transfer. A remote attacker that controls malicious FTP server can send large blocks of data to the curl client, trigger a double-free error and crash the application.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=6159078bc4d89ad55278438f77391a0e1068caad
- https://git.alpinelinux.org/aports/commit/?id=8fd649824a89c73869a7bc156d86116635eb3871
- https://git.alpinelinux.org/aports/commit/?id=c64caaa6d0cf04cf1a2a90b1b751edef900fd849
- https://git.alpinelinux.org/aports/commit/?id=b77fa2226959933b28b88ca21a46b6ff5128f4f9
- https://git.alpinelinux.org/aports/commit/?id=36ecea72e973a1cb6755d0b0ca25fed57b7c1cb8
- https://git.alpinelinux.org/aports/commit/?id=1c04cce7036cdb842535ee6ad5f944794fc04c74
- https://git.alpinelinux.org/aports/commit/?id=5b3d6caf5ec2dd362978aa3e81badf606daa76ef