CVE-2018-16839

Vulnerability

Curl versions 7.33.0 through 7.61.1 on 32-bit systems contain an integer overflow in the internal function Curl_auth_create_plain_message (also known as Curl_sasl_create_plain_message). When constructing a SASL PLAIN authentication message, the function fails to properly validate the lengths of the username and password. On systems with a 32-bit size_t, the buffer size calculation overflows if the username exceeds 1 GB and the password is near 2 GB, resulting in allocation of a tiny buffer and subsequent heap buffer overflow [2][3]. This bug is similar to CVE-2018-14618 [3]. The affected code path is only reachable when using POP3(S), IMAP(S), or SMTP(S) protocols [3].

Exploitation

An attacker must provide a username longer than 1 GB and a password close to 2 GB to trigger the integer overflow. This requires control over the credentials passed to libcurl, for example via a crafted URL or command-line argument. The vulnerability is only exploitable on 32-bit systems and only when the SASL PLAIN mechanism is used with POP3, IMAP, or SMTP [3]. No authentication is required from the attacker beyond the ability to supply the oversized input.

Impact

Successful exploitation causes a heap buffer overflow, typically resulting in a crash (denial of service). The Ubuntu advisory notes that arbitrary code execution may be possible under certain conditions [1], though the curl project rates the severity as Low [3]. The overflow corrupts heap memory, potentially allowing an attacker to overwrite adjacent data structures.

Mitigation

The vulnerability is fixed in curl version 7.62.0 [3]. Users should upgrade to this version or later. Patches are available for earlier versions [3]. As a workaround, restrict the length of usernames passed to libcurl to well below 1 GB. Ubuntu has released updated packages in USN-3805-1 [1], and Gentoo provides an updated package in GLSA 201903-03 [4]. No workaround is available for systems that cannot be upgraded.