curl might overflow a heap based memory buffer when sending data over SMTP and using a reduced read buffer. When sending data over SMTP, curl allocates a separate "scratch area" on the heap to be able to escape the uploaded data properly if the uploaded data contains data that requires it. The size of this temporary scratch area was mistakenly made to be 2 * sizeof(download_buffer) when it should have been made 2 * sizeof(upload_buffer). The upload and the download buffer sizes are identically sized by default (16KB) but since version 7.54.1, curl can resize the download buffer into a smaller buffer (as well as larger). If the download buffer size is set to a value smaller than 10923, the Curl_smtp_escape_eob() function might overflow the scratch buffer when sending contents of sufficient size and contents. Gentoo Security Scout Florian Schuhmacher
I've just added 7.61.0 to the tree and is not vulnerable to CVE-2018-0500. We should rapid stabilize: KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ppc ppc64 s390 sh sparc x86" I've also added the exp profiles if someone wants to stabilize them.
please provide a package list to start stabilization
amd64 stable
arm64 stable
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2010331926d98698e2e1bf0b8c29b6f9310686c7 commit 2010331926d98698e2e1bf0b8c29b6f9310686c7 Author: Rolf Eike Beer <eike@sf-mail.de> AuthorDate: 2018-07-12 20:19:41 +0000 Commit: Sergei Trofimovich <slyfox@gentoo.org> CommitDate: 2018-07-12 21:16:32 +0000 net-misc/curl: stable 7.61.0 for sparc Bug: https://bugs.gentoo.org/660894 Package-Manager: Portage-2.3.40, Repoman-2.3.9 RepoMan-Options: --include-arches="sparc" net-misc/curl/curl-7.61.0.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7071222f9d52c02eeb6955efca0c480b7f49460f commit 7071222f9d52c02eeb6955efca0c480b7f49460f Author: Rolf Eike Beer <eike@sf-mail.de> AuthorDate: 2018-07-13 05:28:51 +0000 Commit: Sergei Trofimovich <slyfox@gentoo.org> CommitDate: 2018-07-13 06:06:12 +0000 net-misc/curl: stable 7.61.0 for hppa Bug: https://bugs.gentoo.org/660894 Package-Manager: Portage-2.3.40, Repoman-2.3.9 RepoMan-Options: --include-arches="hppa" net-misc/curl/curl-7.61.0.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d3c712867711e5f37f6bc2eb26d6bbb7a96965be commit d3c712867711e5f37f6bc2eb26d6bbb7a96965be Author: Sergei Trofimovich <slyfox@gentoo.org> AuthorDate: 2018-07-14 17:59:10 +0000 Commit: Sergei Trofimovich <slyfox@gentoo.org> CommitDate: 2018-07-14 17:59:10 +0000 net-misc/curl: stable 7.61.0 for ia64, bug #660894 Bug: https://bugs.gentoo.org/660894 Package-Manager: Portage-2.3.42, Repoman-2.3.9 RepoMan-Options: --include-arches="ia64" net-misc/curl/curl-7.61.0.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6961eb2526e4fc9687068f5cec6e20d0d581da77 commit 6961eb2526e4fc9687068f5cec6e20d0d581da77 Author: Sergei Trofimovich <slyfox@gentoo.org> AuthorDate: 2018-07-14 19:59:37 +0000 Commit: Sergei Trofimovich <slyfox@gentoo.org> CommitDate: 2018-07-14 19:59:37 +0000 net-misc/curl: stable 7.61.0 for ppc64, bug #660894 Bug: https://bugs.gentoo.org/660894 Package-Manager: Portage-2.3.42, Repoman-2.3.9 RepoMan-Options: --include-arches="ppc64" net-misc/curl/curl-7.61.0.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=15b8fdf1549bc50cbe1a31b12efa8cffe230e25e commit 15b8fdf1549bc50cbe1a31b12efa8cffe230e25e Author: Sergei Trofimovich <slyfox@gentoo.org> AuthorDate: 2018-07-14 20:13:50 +0000 Commit: Sergei Trofimovich <slyfox@gentoo.org> CommitDate: 2018-07-14 20:13:50 +0000 net-misc/curl: stable 7.61.0 for ppc, bug #660894 Bug: https://bugs.gentoo.org/660894 Package-Manager: Portage-2.3.42, Repoman-2.3.9 RepoMan-Options: --include-arches="ppc" net-misc/curl/curl-7.61.0.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
x86 stable
Stable on alpha.
arm/m68k/s390/sh done
GLSA filed. @Maintainer, please clean.
This issue was resolved and addressed in GLSA 201807-04 at https://security.gentoo.org/glsa/201807-04 by GLSA coordinator Christopher Diaz Riveros (chrisadr). @Maintainers please proceed to clean vulnerable versions.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6681b26b2091f8ea5414a03bf79d1459cc197c96 commit 6681b26b2091f8ea5414a03bf79d1459cc197c96 Author: Mikle Kolyada <zlogene@gentoo.org> AuthorDate: 2018-09-21 16:41:27 +0000 Commit: Mikle Kolyada <zlogene@gentoo.org> CommitDate: 2018-09-21 16:41:27 +0000 net-misc/curl: Security cleanup Bug: https://bugs.gentoo.org/665292 Bug: https://bugs.gentoo.org/660894 Package-Manager: Portage-2.3.49, Repoman-2.3.10 net-misc/curl/Manifest | 2 - net-misc/curl/curl-7.60.0-r1.ebuild | 247 ------------------------------------ net-misc/curl/curl-7.60.0.ebuild | 247 ------------------------------------ net-misc/curl/curl-7.61.0.ebuild | 247 ------------------------------------ 4 files changed, 743 deletions(-)
All done, repository is clean.