CVE-2018-0500

Name of the Vulnerable Software and Affected Versions curl versions 7.54.1 through 7.60.0

Description The issue is related to a heap-based buffer overflow in the Curl smtp escape eob() function when curl transmits data over SMTP with certain settings, such as a nonstandard --limit-rate argument or CURLOPT BUFFERSIZE value. This occurs because the size of the temporary scratch area allocated on the heap is mistakenly set to 2 * sizeof(download buffer) instead of 2 * sizeof(upload buffer). The upload and download buffer sizes are identically sized by default, but since version 7.54.1, curl can resize the download buffer into a smaller buffer. If the download buffer size is set to a value smaller than 10923, the Curl smtp escape eob() function might overflow the scratch buffer when sending contents of sufficient size.

Recommendations For curl versions 7.54.1 through 7.60.0, consider disabling the use of the --limit-rate argument or CURLOPT BUFFERSIZE value to minimize the risk of exploitation until a patch is available. Avoid using reduced read buffer sizes when sending data over SMTP to prevent potential buffer overflows. As a temporary workaround, consider setting the download buffer size to a value larger than 10923 to prevent the Curl smtp escape eob() function from overflowing the scratch buffer.