Opened 6 years ago
Closed 6 years ago
#10940 closed enhancement (fixed)
curl-7.61.0
Reported by: | Bruce Dubbs | Owned by: | Douglas R. Reno |
---|---|---|---|
Priority: | high | Milestone: | 8.3 |
Component: | BOOK | Version: | SVN |
Severity: | normal | Keywords: | |
Cc: |
Description
New minor version.
Change History (4)
comment:1 by , 6 years ago
comment:2 by , 6 years ago
Owner: | changed from | to
---|---|
Status: | new → assigned |
comment:3 by , 6 years ago
Priority: | normal → high |
---|
Fixed in 7.61.0 - July 11 2018 Changes: getinfo: add microsecond precise timers for seven intervals curl: show headers in bold, switch off with --no-styled-output httpauth: add support for Bearer tokens Add CURLOPT_TLS13_CIPHERS and CURLOPT_PROXY_TLS13_CIPHERS curl: --tls13-ciphers and --proxy-tls13-ciphers Add CURLOPT_DISALLOW_USERNAME_IN_URL curl: --disallow-username-in-url Bugfixes: CVE-2018-0500: smtp: fix SMTP send buffer overflow schannel: disable client cert option if APIs not available schannel: disable manual verify if APIs not available tests/libtest/Makefile: Do not unconditionally add gcc-specific flags openssl: acknowledge --tls-max for default version too stub_gssapi: fix 'unused parameter' warnings examples/progressfunc: make it build on both new and old libcurls docs: mention it is HA Proxy protocol "version 1" curl_fnmatch: only allow two asterisks for matching docs: clarify CURLOPT_HTTPGET configure: replace a AC_TRY_RUN with CURL_RUN_IFELSE configure: do compile-time SIZEOF checks instead of run-time checksrc: make sure sizeof() is used *with* parentheses CURLOPT_ACCEPT_ENCODING.3: add brotli and clarify a bit schannel: make CAinfo parsing resilient to CR/LF tftp: make sure error is zero terminated before printfing it http resume: skip body if http code 416 (range error) is ignored configure: add basic test of --with-ssl prefix cmake: set -d postfix for debug builds multi: provide a socket to wait for in Curl_protocol_getsock content_encoding: handle zlib versions too old for Z_BLOCK winbuild: only delete OUTFILE if it exists winbuild: In MakefileBuild.vc fix typo DISTDIR->DIRDIST schannel: add failf calls for client certificate failures cmake: Fix the test for fsetxattr and strerror_r curl.1: Fix cmdline-opts reference errors cmdline-opts/gen.pl: warn if mutexes: or see-also: list non-existing options cmake: check for getpwuid_r configure: fix ssh2 linking when built with a static mbedtls psl: use latest psl and refresh it periodically fnmatch: insist on escaped bracket to match KNOWN_BUGS: restore text regarding #2101 INSTALL: LDFLAGS=-Wl,-R/usr/local/ssl/lib configure: override AR_FLAGS to silence warning os400: implement mime api EBCDIC wrappers curl.rc: embed manifest for correct Windows version detection strictness: correct {infof, failf} format specifiers tests: update .gitignore for libtests configure: check for declaration of getpwuid_r fnmatch: use the system one if available CURLOPT_RESOLVE: always purge old entry first multi: remove a potentially bad DEBUGF() curl_addrinfo: use same #ifdef conditions in source as header build: remove the Borland specific makefiles axTLS: not considered fit for use cmdline-opts/cert-type.d: mention "p12" as a recognized type system.h: add support for IBM xlc C compiler tests/libtest: Add lib1521 to nodist_SOURCES mk-ca-bundle.pl: leave certificate name untouched boringssl + schannel: undef X509_NAME in lib/schannel.h openssl: assume engine support in 1.0.1 or later cppcheck: fix warnings test 46: make test pass after year 2025 schannel: support selecting ciphers Curl_debug: remove dead printhost code test 1455: unflakified Curl_init_do: handle NULL connection pointer passed in progress: remove a set of unused defines mk-ca-bundle.pl: make -u delete certdata.txt if found not changed GOVERNANCE.md: explains how this project is run configure: use pkg-config for c-ares detection configure: enhance ability to build with static openssl maketgz: fix sed issues on OSX multi: fix memory leak when stopped during name resolve CURLOPT_INTERFACE.3: interface names not supported on Windows url: fix dangling conn->data pointer cmake: allow multiple SSL backends system.h: fix for gcc on 32 bit OpenServer ConnectionExists: make sure conn->data is set when "taking" a connection multi: fix crash due to dangling entry in connect-pending list CURLOPT_SSL_VERIFYPEER.3: Add performance note netrc: use a larger buffer to support longer passwords url: check Curl_conncache_add_conn return code configure: Add dependent libraries after crypto easy_perform: faster local name resolves by using *multi_timeout() getnameinfo: not used, removed all configure checks travis: add a build using the synchronous name resolver CURLINFO_TLS_SSL_PTR.3: improve the example openssl: allow TLS 1.3 by default openssl: make the requested TLS version the *minimum* wanted openssl: Remove some dead code telnet: fix clang warnings DEPRECATE: new doc describing planned item removals example/crawler.c: simple crawler based on libxml2 libssh: goto DISCONNECT state on error, not SESSION_FREE CMake: Remove unused functions darwinssl: allow High Sierra users to build the code using GCC scripts: include _curl as part of CLEANFILES
Note:
See TracTickets
for help on using tickets.
From https://curl.haxx.se/docs/adv_2018-70a2.html :
"SMTP send heap buffer overflow Project curl Security Advisory, July 11th 2018 - Permalink
VULNERABILITY curl might overflow a heap based memory buffer when sending data over SMTP and using a reduced read buffer.
When sending data over SMTP, curl allocates a separate "scratch area" on the heap to be able to escape the uploaded data properly if the uploaded data contains data that requires it.
The size of this temporary scratch area was mistakenly made to be 2 * sizeof(download_buffer) when it should have been made 2 * sizeof(upload_buffer).
The upload and the download buffer sizes are identically sized by default (16KB) but since version 7.54.1, curl can resize the download buffer into a smaller buffer (as well as larger). If the download buffer size is set to a value smaller than 10923, the Curl_smtp_escape_eob() function might overflow the scratch buffer when sending contents of sufficient size and contents.
The curl command line tool lowers the buffer size when --limit-rate is set to a value smaller than 16KB.
We are not aware of any exploit of this flaw."
(test case in the advisory, I guess anybody using curl over SMTP ought to upgrade)