CVE-2018-0500

Vulnerability

A heap-based buffer overflow exists in the Curl_smtp_escape_eob function in lib/smtp.c in curl versions 7.54.1 through 7.60.0. When sending data over SMTP, curl allocates a scratch buffer for escaping uploaded data. Due to a programming error, the scratch buffer was sized based on the download buffer size (data->set.buffer_size) instead of the upload buffer size (UPLOAD_BUFSIZE). If the download buffer size is reduced below 10923 bytes (e.g., via --limit-rate or CURLOPT_BUFFERSIZE), the scratch buffer becomes too small, leading to a heap-based overflow when processing sufficiently large upload data [2][4].

Exploitation

An attacker who can control the data that curl transmits over SMTP can trigger the overflow. The attacker must be able to influence the content of the uploaded data (e.g., via a malicious sender or by supplying crafted input to a read callback) and ensure curl uses a reduced read buffer size (less than 10923 bytes). This can be achieved through command-line options like --limit-rate or via CURLOPT_BUFFERSIZE in libcurl. No authentication is required if curl is configured to send data to an SMTP server [2].

Impact

Successful exploitation results in a heap buffer overflow, which can cause a denial of service (crash) or potentially arbitrary code execution in the context of the curl process. The attacker may be able to execute arbitrary commands or further compromise the system [2][3].

Mitigation

The vulnerability is fixed in curl version 7.61.0, released on July 11, 2018 [2]. Users should upgrade to curl 7.61.0 or later. Red Hat has provided updated packages via RHSA-2018:2486 [1], and Ubuntu via USN-3710-1 [3]. The fix ensures the scratch buffer is allocated based on the upload buffer size (UPLOAD_BUFSIZE) rather than the download buffer size [4].