cURL: Heap-based buffer overflow — GLSA 201807-04

A heap-based buffer overflow in cURL might allow remote attackers to execute arbitrary code.

Affected packages

net-misc/curl on all architectures
Affected versions < 7.61.0
Unaffected versions >= 7.61.0

Background

A command line tool and library for transferring data with URLs.

Description

A heap-based buffer overflow was discovered in cURL’s Curl_smtp_escape_eob() function.

Impact

An attacker could cause a Denial of Service condition or execute arbitrary code via SMTP connections.

Workaround

There is no known workaround at this time.

Resolution

All cURL users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=net-misc/curl-7.61.0"
 

References

Release date
July 29, 2018

Latest revision
July 29, 2018: 1

Severity
normal

Exploitable
remote

Bugzilla entries