Download
Browse source Changelog
Documentation
Project   Help us   Known bugs   TODO Protocols   CA bundle   HTTP Cookies   HTTP/2   SSL Certs Releases   Security   Version numbers   Vulnerabilities curl tool   man page   Tutorial   HTTP scripting Who and Why
libcurl
ABI API Competitors Examples Features Mailing list Related libs Using libcurl Tutorial Testimonials
Get Help
curl-library curl-users curl-announce curl-commits Book: Everything curl Report a bug Mail Etiquette
Development
Autobuilds Code Style Contribute Deprecate Internals Release Notes Release Procedure Roadmap Run Tests Security Process Specifications Test curl
News
Changelog Release table
curl / Mailing Lists / curl-users / Single Mail

curl-users

[SECURITY ADVISORY] curl: SMTP end-of-response out-of-bounds read

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Wed, 6 Feb 2019 08:12:37 +0100 (CET)

SMTP end-of-response out-of-bounds read
=======================================

Project curl Security Advisory, February 6th 2019 -
[Permalink](https://curl.haxx.se/docs/CVE-2019-3823.html)

VULNERABILITY
-------------

libcurl contains a heap out-of-bounds read in the code handling the
end-of-response for SMTP.

If the buffer passed to `smtp_endofresp()` isn't NUL terminated and contains
no character ending the parsed number, and `len` is set to 5, then the
`strtol()` call reads beyond the allocated buffer. The read contents will not
be returned to the caller.

We are not aware of any exploit of this flaw.

INFO 

----
This bug was introduced in October 2013 in
[commit 2766262a68](https://github.com/curl/curl/commit/2766262a68).
The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2019-3823 to this issue.
CWE-125: Out-of-bounds Read
Severity: 3.7 (Low)
AFFECTED VERSIONS
-----------------
- Affected versions: libcurl 7.34.0 to and including 7.63.0
- Not affected versions: libcurl < 7.34.0
libcurl is used by many applications, but not always advertised as such.
THE SOLUTION
------------
A [patch for CVE-2019-3823](https://github.com/curl/curl/commit/39df4073e5413fcdbb5a38da0c1ce6f1c0ceb484) is available.
RECOMMENDATIONS
--------------
We suggest you take one of the following actions immediately, in order of
preference:
  A - Upgrade curl to version 7.64.0
  B - Apply the patch to your version and rebuild
  C - Turn off SMTP
TIMELINE
--------
The issue was reported to the curl project on January 18, 2019. A patch was
communicated to the reporter on January 19, 2019. We contacted distros_at_openwall
on January 28.
curl 7.64.0 was released on February 6 2019, coordinated with the publication
of this advisory.
CREDITS
-------
Reported by Brian Carpenter, Geeknik Labs. Patch by Daniel Gustafsson
Thanks a lot!
-- 
  / daniel.haxx.se
-----------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-users
Etiquette:   https://curl.haxx.se/mail/etiquette.html
Received on 2019-02-06