'[oss-security] [SECURITY ADVISORY] curl: SMTP end-of-response out-of-bounds read'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] [SECURITY ADVISORY] curl: SMTP end-of-response out-of-bounds read
From:       Daniel Stenberg <daniel () haxx ! se>
Date:       2019-02-06 7:12:37
Message-ID: alpine.DEB.2.20.1902060809320.28483 () tvnag ! unkk ! fr
[Download RAW message or body]

SMTP end-of-response out-of-bounds read
=======================================

Project curl Security Advisory, February 6th 2019 -
[Permalink](https://curl.haxx.se/docs/CVE-2019-3823.html)

VULNERABILITY
-------------

libcurl contains a heap out-of-bounds read in the code handling the
end-of-response for SMTP.

If the buffer passed to `smtp_endofresp()` isn't NUL terminated and contains
no character ending the parsed number, and `len` is set to 5, then the
`strtol()` call reads beyond the allocated buffer. The read contents will not
be returned to the caller.

We are not aware of any exploit of this flaw.

INFO
----

This bug was introduced in October 2013 in
[commit 2766262a68](https://github.com/curl/curl/commit/2766262a68).

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2019-3823 to this issue.

CWE-125: Out-of-bounds Read

Severity: 3.7 (Low)

AFFECTED VERSIONS
-----------------

- Affected versions: libcurl 7.34.0 to and including 7.63.0
- Not affected versions: libcurl < 7.34.0

libcurl is used by many applications, but not always advertised as such.

THE SOLUTION
------------

A [patch for CVE-2019-3823](https://github.com/curl/curl/commit/39df4073e5413fcdbb5a38da0c1ce6f1c0ceb484) \
is available.

RECOMMENDATIONS
--------------

We suggest you take one of the following actions immediately, in order of
preference:

  A - Upgrade curl to version 7.64.0

  B - Apply the patch to your version and rebuild

  C - Turn off SMTP

TIMELINE
--------

The issue was reported to the curl project on January 18, 2019. A patch was
communicated to the reporter on January 19, 2019. We contacted distros@openwall
on January 28.

curl 7.64.0 was released on February 6 2019, coordinated with the publication
of this advisory.

CREDITS
-------

Reported by Brian Carpenter, Geeknik Labs. Patch by Daniel Gustafsson

Thanks a lot!

-- 

  / daniel.haxx.se


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic