CVE-2018-16842

Name of the Vulnerable Software and Affected Versions Curl versions 7.14.1 through 7.61.1

Description The issue is related to a heap-based buffer over-read in the voutf() function, which may result in information exposure and denial of service. This occurs due to flawed wrap logic when displaying warning and informational messages to stderr, causing the buffer arithmetic to calculate the remainder wrong and end up reading behind the end of the buffer. This could lead to information disclosure or crash, potentially resulting in a security issue if used in certain situations, such as a server using the curl command line to run something and showing stderr to the user, where user input can trigger the crash and disclose user memory contents.

Recommendations For Curl versions 7.14.1 through 7.61.1, update to a version that contains a fix for this issue to prevent information exposure and denial of service. As a temporary workaround, consider restricting user input for parts of the command line input to prevent triggering the crash. Additionally, avoid using the voutf() function in situations where user input can cause the buffer over-read.