CLD-466 Details

Other IDs this deficiency may be known by:

CVE ID CVE-2018-0500 (nvd) (mitre) (debian) (archlinux) (red hat) (suse) (ubuntu)
Other ID(s) adv_2018-70a2

Basic Information:

Affected Package(s) curl
Deficiency Type SECURITY
Date Created 2018-07-11 10:03:29
Date Last Modified 2018-07-11 10:22:19

Version Specific Information:

Cucumber 1.0 i686 fixed in curl-7.61.0-i686-1
Cucumber 1.0 x86_64 fixed in curl-7.61.0-x86_64-1 and curl-lib_i686-7.61.0-lib_i686-1

Cucumber 1.1 i686 fixed in curl-7.61.0-i686-1
Cucumber 1.1 x86_64 fixed in curl-7.61.0-x86_64-1 and curl-lib_i686-7.61.0-lib_i686-1

Details:

=================================== Overview ===================================

Curl_smtp_escape_eob in lib/smtp.c in curl before 7.61.0 has a heap-based
buffer overflow that might be exploitable by an attacker who can control the
data that curl transmits over SMTP with certain settings (i.e., use of a
nonstandard --limit-rate argument or CURLOPT_BUFFERSIZE value). 

================================ Initial Report ================================

From https://curl.haxx.se/docs/adv_2018-70a2.html:

url might overflow a heap based memory buffer when sending data over SMTP and
using a reduced read buffer.

When sending data over SMTP, curl allocates a separate "scratch area" on the
heap to be able to escape the uploaded data properly if the uploaded data
contains data that requires it.

The size of this temporary scratch area was mistakenly made to be 2 *
sizeof(download_buffer) when it should have been made 2 *
sizeof(upload_buffer).

The upload and the download buffer sizes are identically sized by default
(16KB) but since version 7.54.1, curl can resize the download buffer into a
smaller buffer (as well as larger). If the download buffer size is set to a
value smaller than 10923, the Curl_smtp_escape_eob() function might overflow
the scratch buffer when sending contents of sufficient size and contents.

The curl command line tool lowers the buffer size when --limit-rate is set to a
value smaller than 16KB.

We are not aware of any exploit of this flaw.

================================= Our Analysis =================================

----- Affected Products -----
Versions of curl prior to 7.61.0 that have not had the patch from
https://github.com/curl/curl/commit/ba1dbd78e5f1e.patch are vulnerable. This
includes curl as originally packaged in Cucumber Linux 1.0, 1.1 and 
sysbuild 18001.

----- Scope and Impact of this Vulnerability -----
Could result in a potential information disclosure or denial of service when
using curl with a nondefault --limit-rate argument.

----- Fix for this Vulnerability -----
This vulnerability can be fixed by taking one of three actions:
  A - Upgrade curl to version 7.61.0
  B - Apply the patch to your version and rebuild
  C - Avoid using SMTP uploads with CURLOPT_BUFFERSIZE set below 10923

================================= Our Solution =================================

We have upgraded curl to version 7.61.0.