CVE-2019-5436

Name of the Vulnerable Software and Affected Versions libcurl versions 7.19.4 through 7.64.1

Description A heap buffer overflow in the TFTP receiving code allows for denial of service or arbitrary code execution. The issue is related to the tftp receive packet() function, which can be exploited to gain access to confidential data, compromise data integrity, and cause a denial of service. The flaw exists when a blksize of 504 or smaller is used, with the smaller size increasing the possible overflow. The vulnerability can be exploited by a server, which can control the content that overwrites the heap memory.

Recommendations For libcurl versions 7.19.4 through 7.64.1, consider disabling the tftp receive packet() function until a patch is available. Restrict access to TFTP servers to minimize the risk of exploitation. Avoid using blksize values of 504 or smaller to reduce the potential for overflow. As a temporary workaround, use the default blksize of 512 or larger to minimize the risk. At the moment, there is no information about a newer version that contains a fix for this vulnerability.