[ASA-201807-7] lib32-libcurl-gnutls: arbitrary code execution

2018-07-16T00:00:00
ID ASA-201807-7
Type archlinux
Reporter ArchLinux
Modified 2018-07-16T00:00:00

Description

Arch Linux Security Advisory ASA-201807-7

Severity: High Date : 2018-07-16 CVE-ID : CVE-2018-0500 Package : lib32-libcurl-gnutls Type : arbitrary code execution Remote : Yes Link : https://security.archlinux.org/AVG-732

Summary

The package lib32-libcurl-gnutls before version 7.61.0-1 is vulnerable to arbitrary code execution.

Resolution

Upgrade to 7.61.0-1.

pacman -Syu "lib32-libcurl-gnutls>=7.61.0-1"

The problem has been fixed upstream in version 7.61.0.

Workaround

None.

Description

It has been discovered that curl before 7.61.0 might overflow a heap based memory buffer when sending data over SMTP and using a reduced read buffer.

When sending data over SMTP, curl allocates a separate "scratch area" on the heap to be able to escape the uploaded data properly if the uploaded data contains data that requires it. The size of this temporary scratch area was mistakenly made to be 2 * sizeof(download_buffer) when it should have been made 2 * sizeof(upload_buffer). The upload and the download buffer sizes are identically sized by default (16KB) but since version 7.54.1, curl can resize the download buffer into a smaller buffer (as well as larger). If the download buffer size is set to a value smaller than 10923, the Curl_smtp_escape_eob() function might overflow the scratch buffer when sending contents of sufficient size and contents. The curl command line tool lowers the buffer size when --limit-rate is set to a value smaller than 16KB.

Impact

A remote attacker is able to execute arbitrary code when sending SMTP data.

References

https://curl.haxx.se/docs/adv_2018-70a2.html https://security.archlinux.org/CVE-2018-0500