CVE-2013-0249

Name of the Vulnerable Software and Affected Versions curl versions 7.26.0 through 7.28.1 curl versions prior to 7.34.0

Description The issue is related to a stack-based buffer overflow in the Curl sasl create digest md5 message function when negotiating SASL DIGEST-MD5 authentication. This can be exploited by remote attackers via a long string in the realm parameter in POP3, SMTP, or IMAP messages, potentially leading to a denial of service or execution of arbitrary code. The vulnerability can be exploited by someone in control of a server that a libcurl-based program is accessing, or by a malicious user feeding an application with a URL to a server hosting code targeting this flaw. This vulnerability can be used for remote code execution on vulnerable systems.

Recommendations For curl versions 7.26.0 through 7.28.1, update to a version later than 7.28.1. For curl versions prior to 7.34.0, update to version 7.34.0 or later. As a temporary workaround, consider restricting access to the Curl sasl create digest md5 message function until a patch is available. Avoid using the realm parameter in affected API endpoints until the issue is resolved.