Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 660894 (CVE-2018-0500) - <net-misc/curl-7.61.0: Heap-based Buffer Overflow (CVE-2018-0500)
Summary: <net-misc/curl-7.61.0: Heap-based Buffer Overflow (CVE-2018-0500)
Status: RESOLVED FIXED
Alias: CVE-2018-0500
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://curl.haxx.se/docs/adv_2018-70...
Whiteboard: A3 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2018-07-11 08:23 UTC by Florian Schuhmacher
Modified: 2018-09-22 02:48 UTC (History)
1 user (show)

See Also:
Package list:
net-misc/curl-7.61.0
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Florian Schuhmacher 2018-07-11 08:23:31 UTC
curl might overflow a heap based memory buffer when sending data over SMTP and using a reduced read buffer.

When sending data over SMTP, curl allocates a separate "scratch area" on the heap to be able to escape the uploaded data properly if the uploaded data contains data that requires it.

The size of this temporary scratch area was mistakenly made to be 2 * sizeof(download_buffer) when it should have been made 2 * sizeof(upload_buffer).

The upload and the download buffer sizes are identically sized by default (16KB) but since version 7.54.1, curl can resize the download buffer into a smaller buffer (as well as larger). If the download buffer size is set to a value smaller than 10923, the Curl_smtp_escape_eob() function might overflow the scratch buffer when sending contents of sufficient size and contents.

Gentoo Security Scout
Florian Schuhmacher
Comment 1 Anthony Basile gentoo-dev 2018-07-11 18:15:45 UTC
I've just added 7.61.0 to the tree and is not vulnerable to CVE-2018-0500.  We should rapid stabilize:

KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ppc ppc64 s390 sh sparc x86"

I've also added the exp profiles if someone wants to stabilize them.
Comment 2 Rolf Eike Beer archtester 2018-07-11 18:52:46 UTC
please provide a package list to start stabilization
Comment 3 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2018-07-11 23:39:34 UTC
amd64 stable
Comment 4 Mart Raudsepp gentoo-dev 2018-07-12 06:42:57 UTC
arm64 stable
Comment 5 Larry the Git Cow gentoo-dev 2018-07-12 21:16:42 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2010331926d98698e2e1bf0b8c29b6f9310686c7

commit 2010331926d98698e2e1bf0b8c29b6f9310686c7
Author:     Rolf Eike Beer <eike@sf-mail.de>
AuthorDate: 2018-07-12 20:19:41 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2018-07-12 21:16:32 +0000

    net-misc/curl: stable 7.61.0 for sparc
    
    Bug: https://bugs.gentoo.org/660894
    Package-Manager: Portage-2.3.40, Repoman-2.3.9
    RepoMan-Options: --include-arches="sparc"

 net-misc/curl/curl-7.61.0.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 6 Larry the Git Cow gentoo-dev 2018-07-13 06:06:28 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7071222f9d52c02eeb6955efca0c480b7f49460f

commit 7071222f9d52c02eeb6955efca0c480b7f49460f
Author:     Rolf Eike Beer <eike@sf-mail.de>
AuthorDate: 2018-07-13 05:28:51 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2018-07-13 06:06:12 +0000

    net-misc/curl: stable 7.61.0 for hppa
    
    Bug: https://bugs.gentoo.org/660894
    Package-Manager: Portage-2.3.40, Repoman-2.3.9
    RepoMan-Options: --include-arches="hppa"

 net-misc/curl/curl-7.61.0.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 7 Larry the Git Cow gentoo-dev 2018-07-14 18:22:00 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d3c712867711e5f37f6bc2eb26d6bbb7a96965be

commit d3c712867711e5f37f6bc2eb26d6bbb7a96965be
Author:     Sergei Trofimovich <slyfox@gentoo.org>
AuthorDate: 2018-07-14 17:59:10 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2018-07-14 17:59:10 +0000

    net-misc/curl: stable 7.61.0 for ia64, bug #660894
    
    Bug: https://bugs.gentoo.org/660894
    Package-Manager: Portage-2.3.42, Repoman-2.3.9
    RepoMan-Options: --include-arches="ia64"

 net-misc/curl/curl-7.61.0.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 8 Larry the Git Cow gentoo-dev 2018-07-14 20:09:41 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6961eb2526e4fc9687068f5cec6e20d0d581da77

commit 6961eb2526e4fc9687068f5cec6e20d0d581da77
Author:     Sergei Trofimovich <slyfox@gentoo.org>
AuthorDate: 2018-07-14 19:59:37 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2018-07-14 19:59:37 +0000

    net-misc/curl: stable 7.61.0 for ppc64, bug #660894
    
    Bug: https://bugs.gentoo.org/660894
    Package-Manager: Portage-2.3.42, Repoman-2.3.9
    RepoMan-Options: --include-arches="ppc64"

 net-misc/curl/curl-7.61.0.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 9 Larry the Git Cow gentoo-dev 2018-07-14 20:16:29 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=15b8fdf1549bc50cbe1a31b12efa8cffe230e25e

commit 15b8fdf1549bc50cbe1a31b12efa8cffe230e25e
Author:     Sergei Trofimovich <slyfox@gentoo.org>
AuthorDate: 2018-07-14 20:13:50 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2018-07-14 20:13:50 +0000

    net-misc/curl: stable 7.61.0 for ppc, bug #660894
    
    Bug: https://bugs.gentoo.org/660894
    Package-Manager: Portage-2.3.42, Repoman-2.3.9
    RepoMan-Options: --include-arches="ppc"

 net-misc/curl/curl-7.61.0.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 10 Thomas Deutschmann (RETIRED) gentoo-dev 2018-07-15 14:24:37 UTC
x86 stable
Comment 11 Tobias Klausmann (RETIRED) gentoo-dev 2018-07-21 09:49:53 UTC
Stable on alpha.
Comment 12 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2018-07-21 17:41:22 UTC
arm/m68k/s390/sh done
Comment 13 Michael Boyle 2018-07-21 23:03:39 UTC
GLSA filed.
@Maintainer, please clean.
Comment 14 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2018-07-29 22:28:27 UTC
This issue was resolved and addressed in
 GLSA 201807-04 at https://security.gentoo.org/glsa/201807-04
by GLSA coordinator Christopher Diaz Riveros (chrisadr).

@Maintainers please proceed to clean vulnerable versions.
Comment 15 Larry the Git Cow gentoo-dev 2018-09-21 16:42:05 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6681b26b2091f8ea5414a03bf79d1459cc197c96

commit 6681b26b2091f8ea5414a03bf79d1459cc197c96
Author:     Mikle Kolyada <zlogene@gentoo.org>
AuthorDate: 2018-09-21 16:41:27 +0000
Commit:     Mikle Kolyada <zlogene@gentoo.org>
CommitDate: 2018-09-21 16:41:27 +0000

    net-misc/curl: Security cleanup
    
    Bug: https://bugs.gentoo.org/665292
    Bug: https://bugs.gentoo.org/660894
    Package-Manager: Portage-2.3.49, Repoman-2.3.10

 net-misc/curl/Manifest              |   2 -
 net-misc/curl/curl-7.60.0-r1.ebuild | 247 ------------------------------------
 net-misc/curl/curl-7.60.0.ebuild    | 247 ------------------------------------
 net-misc/curl/curl-7.61.0.ebuild    | 247 ------------------------------------
 4 files changed, 743 deletions(-)
Comment 16 Thomas Deutschmann (RETIRED) gentoo-dev 2018-09-22 02:48:38 UTC
All done, repository is clean.