SMTP end-of-response out-of-bounds read =======================================
Project curl Security Advisory, February 6th 2019 - [Permalink](https://curl.haxx.se/docs/CVE-2019-3823.html) VULNERABILITY ------------- libcurl contains a heap out-of-bounds read in the code handling the end-of-response for SMTP. If the buffer passed to `smtp_endofresp()` isn't NUL terminated and contains no character ending the parsed number, and `len` is set to 5, then the `strtol()` call reads beyond the allocated buffer. The read contents will not be returned to the caller. We are not aware of any exploit of this flaw. INFO ---- This bug was introduced in October 2013 in [commit 2766262a68](https://github.com/curl/curl/commit/2766262a68). The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2019-3823 to this issue. CWE-125: Out-of-bounds Read Severity: 3.7 (Low) AFFECTED VERSIONS ----------------- - Affected versions: libcurl 7.34.0 to and including 7.63.0 - Not affected versions: libcurl < 7.34.0 libcurl is used by many applications, but not always advertised as such. THE SOLUTION ------------ A [patch for CVE-2019-3823](https://github.com/curl/curl/commit/39df4073e5413fcdbb5a38da0c1ce6f1c0ceb484) is available. RECOMMENDATIONS -------------- We suggest you take one of the following actions immediately, in order of preference: A - Upgrade curl to version 7.64.0 B - Apply the patch to your version and rebuild C - Turn off SMTP TIMELINE -------- The issue was reported to the curl project on January 18, 2019. A patch was communicated to the reporter on January 19, 2019. We contacted distros@openwall on January 28. curl 7.64.0 was released on February 6 2019, coordinated with the publication of this advisory. CREDITS ------- Reported by Brian Carpenter, Geeknik Labs. Patch by Daniel Gustafsson Thanks a lot! -- / daniel.haxx.se ------------------------------------------------------------------- Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.html
