{"id":"CURL-CVE-2018-0500","summary":"SMTP send heap buffer overflow","details":"curl might overflow a heap based memory buffer when sending data over SMTP and\nusing a reduced read buffer.\n\nWhen sending data over SMTP, curl allocates a separate \"scratch area\" on the\nheap to be able to escape the uploaded data properly if the uploaded data\ncontains data that requires it.\n\nThe size of this temporary scratch area was mistakenly made to be `2 *\nsizeof(download_buffer)` when it should have been made `2 *\nsizeof(upload_buffer)`.\n\nThe upload and the download buffer sizes are identically sized by default\n(16KB) but since version 7.54.1, curl can resize the download buffer into a\nsmaller buffer (as well as larger). If the download buffer size is set to a\nvalue smaller than 10923, the `Curl_smtp_escape_eob()` function might overflow\nthe scratch buffer when sending contents of sufficient size and contents.\n\nThe curl command line tool lowers the buffer size when `--limit-rate` is set\nto a value smaller than 16KB.","aliases":["CVE-2018-0500"],"modified":"2024-06-07T13:53:51Z","published":"2018-07-11T08:00:00Z","database_specific":{"severity":"High","last_affected":"7.60.0","package":"curl","URL":"https://curl.se/docs/CVE-2018-0500.json","CWE":{"id":"CWE-122","desc":"Heap-based Buffer Overflow"},"affects":"both","www":"https://curl.se/docs/CVE-2018-0500.html"},"affected":[{"ranges":[{"type":"SEMVER","events":[{"introduced":"7.54.1"},{"fixed":"7.61.0"}]},{"type":"GIT","repo":"https://github.com/curl/curl.git","events":[{"introduced":"e40e9d7f0decc799e3ccfe2c418632f8bb52031a"},{"fixed":"ba1dbd78e5f1ed67c1b8d37ac89d90e5e330b628"}]}],"versions":["7.60.0","7.59.0","7.58.0","7.57.0","7.56.1","7.56.0","7.55.1","7.55.0","7.54.1"],"database_specific":{"vanir_signatures":[{"id":"CURL-CVE-2018-0500-32ea0310","deprecated":false,"signature_version":"v1","source":"https://github.com/curl/curl.git/commit/ba1dbd78e5f1ed67c1b8d37ac89d90e5e330b628","digest":{"function_hash":"220425643078242232243892256799210626195","length":1560},"signature_type":"Function","target":{"function":"Curl_smtp_escape_eob","file":"lib/smtp.c"}},{"id":"CURL-CVE-2018-0500-f50310d7","deprecated":false,"signature_version":"v1","source":"https://github.com/curl/curl.git/commit/ba1dbd78e5f1ed67c1b8d37ac89d90e5e330b628","digest":{"threshold":0.9,"line_hashes":["100346489179498015074596516711790345714","36398893905587497857396509459642227416","83528369294652915166766063052770479545","119381144070371804446013776337879380459","308943778265509870019894021240107613861","167054270400523215026863660412897532998","326483793231161323803805689795008028311","214925078150770847850926944304516077504","226951013112595546245203535799648872728"]},"signature_type":"Line","target":{"file":"lib/smtp.c"}}],"source":"https://curl.se/docs/CURL-CVE-2018-0500.json"}}],"schema_version":"1.7.3","credits":[{"name":"Peter Wu","type":"FINDER"},{"name":"Daniel Stenberg","type":"REMEDIATION_DEVELOPER"}]}