Arch Linux 749 Published by

The following Curl security updates has been released for Arch Linux:

ASA-201807-10: curl: arbitrary code execution
ASA-201807-5: lib32-curl: arbitrary code execution
ASA-201807-6: lib32-libcurl-compat: arbitrary code execution
ASA-201807-7: lib32-libcurl-gnutls: arbitrary code execution
ASA-201807-8: libcurl-compat: arbitrary code execution
ASA-201807-9: libcurl-gnutls: arbitrary code execution



ASA-201807-10: curl: arbitrary code execution

Arch Linux Security Advisory ASA-201807-10
==========================================

Severity: High
Date : 2018-07-16
CVE-ID : CVE-2018-0500
Package : curl
Type : arbitrary code execution
Remote : Yes
Link : https://security.archlinux.org/AVG-729

Summary
=======

The package curl before version 7.61.0-1 is vulnerable to arbitrary
code execution.

Resolution
==========

Upgrade to 7.61.0-1.

# pacman -Syu "curl>=7.61.0-1"

The problem has been fixed upstream in version 7.61.0.

Workaround
==========

None.

Description
===========

It has been discovered that curl before 7.61.0 might overflow a heap
based memory buffer when sending data over SMTP and using a reduced
read buffer.

When sending data over SMTP, curl allocates a separate "scratch area"
on the heap to be able to escape the uploaded data properly if the
uploaded data contains data that requires it. The size of this
temporary scratch area was mistakenly made to be 2 *
sizeof(download_buffer) when it should have been made 2 *
sizeof(upload_buffer). The upload and the download buffer sizes are
identically sized by default (16KB) but since version 7.54.1, curl can
resize the download buffer into a smaller buffer (as well as larger).
If the download buffer size is set to a value smaller than 10923, the
Curl_smtp_escape_eob() function might overflow the scratch buffer when
sending contents of sufficient size and contents. The curl command line
tool lowers the buffer size when --limit-rate is set to a value smaller
than 16KB.

Impact
======

A remote attacker is able to execute arbitrary code when sending SMTP
data.

References
==========

https://curl.haxx.se/docs/adv_2018-70a2.html
https://security.archlinux.org/CVE-2018-0500


ASA-201807-5: lib32-curl: arbitrary code execution

Arch Linux Security Advisory ASA-201807-5
=========================================

Severity: High
Date : 2018-07-16
CVE-ID : CVE-2018-0500
Package : lib32-curl
Type : arbitrary code execution
Remote : Yes
Link : https://security.archlinux.org/AVG-730

Summary
=======

The package lib32-curl before version 7.61.0-1 is vulnerable to
arbitrary code execution.

Resolution
==========

Upgrade to 7.61.0-1.

# pacman -Syu "lib32-curl>=7.61.0-1"

The problem has been fixed upstream in version 7.61.0.

Workaround
==========

None.

Description
===========

It has been discovered that curl before 7.61.0 might overflow a heap
based memory buffer when sending data over SMTP and using a reduced
read buffer.

When sending data over SMTP, curl allocates a separate "scratch area"
on the heap to be able to escape the uploaded data properly if the
uploaded data contains data that requires it. The size of this
temporary scratch area was mistakenly made to be 2 *
sizeof(download_buffer) when it should have been made 2 *
sizeof(upload_buffer). The upload and the download buffer sizes are
identically sized by default (16KB) but since version 7.54.1, curl can
resize the download buffer into a smaller buffer (as well as larger).
If the download buffer size is set to a value smaller than 10923, the
Curl_smtp_escape_eob() function might overflow the scratch buffer when
sending contents of sufficient size and contents. The curl command line
tool lowers the buffer size when --limit-rate is set to a value smaller
than 16KB.

Impact
======

A remote attacker is able to execute arbitrary code when sending SMTP
data.

References
==========

https://curl.haxx.se/docs/adv_2018-70a2.html
https://security.archlinux.org/CVE-2018-0500


ASA-201807-6: lib32-libcurl-compat: arbitrary code execution

Arch Linux Security Advisory ASA-201807-6
=========================================

Severity: High
Date : 2018-07-16
CVE-ID : CVE-2018-0500
Package : lib32-libcurl-compat
Type : arbitrary code execution
Remote : Yes
Link : https://security.archlinux.org/AVG-731

Summary
=======

The package lib32-libcurl-compat before version 7.61.0-1 is vulnerable
to arbitrary code execution.

Resolution
==========

Upgrade to 7.61.0-1.

# pacman -Syu "lib32-libcurl-compat>=7.61.0-1"

The problem has been fixed upstream in version 7.61.0.

Workaround
==========

None.

Description
===========

It has been discovered that curl before 7.61.0 might overflow a heap
based memory buffer when sending data over SMTP and using a reduced
read buffer.

When sending data over SMTP, curl allocates a separate "scratch area"
on the heap to be able to escape the uploaded data properly if the
uploaded data contains data that requires it. The size of this
temporary scratch area was mistakenly made to be 2 *
sizeof(download_buffer) when it should have been made 2 *
sizeof(upload_buffer). The upload and the download buffer sizes are
identically sized by default (16KB) but since version 7.54.1, curl can
resize the download buffer into a smaller buffer (as well as larger).
If the download buffer size is set to a value smaller than 10923, the
Curl_smtp_escape_eob() function might overflow the scratch buffer when
sending contents of sufficient size and contents. The curl command line
tool lowers the buffer size when --limit-rate is set to a value smaller
than 16KB.

Impact
======

A remote attacker is able to execute arbitrary code when sending SMTP
data.

References
==========

https://curl.haxx.se/docs/adv_2018-70a2.html
https://security.archlinux.org/CVE-2018-0500


ASA-201807-7: lib32-libcurl-gnutls: arbitrary code execution

Arch Linux Security Advisory ASA-201807-7
=========================================

Severity: High
Date : 2018-07-16
CVE-ID : CVE-2018-0500
Package : lib32-libcurl-gnutls
Type : arbitrary code execution
Remote : Yes
Link : https://security.archlinux.org/AVG-732

Summary
=======

The package lib32-libcurl-gnutls before version 7.61.0-1 is vulnerable
to arbitrary code execution.

Resolution
==========

Upgrade to 7.61.0-1.

# pacman -Syu "lib32-libcurl-gnutls>=7.61.0-1"

The problem has been fixed upstream in version 7.61.0.

Workaround
==========

None.

Description
===========

It has been discovered that curl before 7.61.0 might overflow a heap
based memory buffer when sending data over SMTP and using a reduced
read buffer.

When sending data over SMTP, curl allocates a separate "scratch area"
on the heap to be able to escape the uploaded data properly if the
uploaded data contains data that requires it. The size of this
temporary scratch area was mistakenly made to be 2 *
sizeof(download_buffer) when it should have been made 2 *
sizeof(upload_buffer). The upload and the download buffer sizes are
identically sized by default (16KB) but since version 7.54.1, curl can
resize the download buffer into a smaller buffer (as well as larger).
If the download buffer size is set to a value smaller than 10923, the
Curl_smtp_escape_eob() function might overflow the scratch buffer when
sending contents of sufficient size and contents. The curl command line
tool lowers the buffer size when --limit-rate is set to a value smaller
than 16KB.

Impact
======

A remote attacker is able to execute arbitrary code when sending SMTP
data.

References
==========

https://curl.haxx.se/docs/adv_2018-70a2.html
https://security.archlinux.org/CVE-2018-0500


ASA-201807-8: libcurl-compat: arbitrary code execution

Arch Linux Security Advisory ASA-201807-8
=========================================

Severity: High
Date : 2018-07-16
CVE-ID : CVE-2018-0500
Package : libcurl-compat
Type : arbitrary code execution
Remote : Yes
Link : https://security.archlinux.org/AVG-733

Summary
=======

The package libcurl-compat before version 7.61.0-1 is vulnerable to
arbitrary code execution.

Resolution
==========

Upgrade to 7.61.0-1.

# pacman -Syu "libcurl-compat>=7.61.0-1"

The problem has been fixed upstream in version 7.61.0.

Workaround
==========

None.

Description
===========

It has been discovered that curl before 7.61.0 might overflow a heap
based memory buffer when sending data over SMTP and using a reduced
read buffer.

When sending data over SMTP, curl allocates a separate "scratch area"
on the heap to be able to escape the uploaded data properly if the
uploaded data contains data that requires it. The size of this
temporary scratch area was mistakenly made to be 2 *
sizeof(download_buffer) when it should have been made 2 *
sizeof(upload_buffer). The upload and the download buffer sizes are
identically sized by default (16KB) but since version 7.54.1, curl can
resize the download buffer into a smaller buffer (as well as larger).
If the download buffer size is set to a value smaller than 10923, the
Curl_smtp_escape_eob() function might overflow the scratch buffer when
sending contents of sufficient size and contents. The curl command line
tool lowers the buffer size when --limit-rate is set to a value smaller
than 16KB.

Impact
======

A remote attacker is able to execute arbitrary code when sending SMTP
data.

References
==========

https://curl.haxx.se/docs/adv_2018-70a2.html
https://security.archlinux.org/CVE-2018-0500


ASA-201807-9: libcurl-gnutls: arbitrary code execution

Arch Linux Security Advisory ASA-201807-9
=========================================

Severity: High
Date : 2018-07-16
CVE-ID : CVE-2018-0500
Package : libcurl-gnutls
Type : arbitrary code execution
Remote : Yes
Link : https://security.archlinux.org/AVG-734

Summary
=======

The package libcurl-gnutls before version 7.61.0-1 is vulnerable to
arbitrary code execution.

Resolution
==========

Upgrade to 7.61.0-1.

# pacman -Syu "libcurl-gnutls>=7.61.0-1"

The problem has been fixed upstream in version 7.61.0.

Workaround
==========

None.

Description
===========

It has been discovered that curl before 7.61.0 might overflow a heap
based memory buffer when sending data over SMTP and using a reduced
read buffer.

When sending data over SMTP, curl allocates a separate "scratch area"
on the heap to be able to escape the uploaded data properly if the
uploaded data contains data that requires it. The size of this
temporary scratch area was mistakenly made to be 2 *
sizeof(download_buffer) when it should have been made 2 *
sizeof(upload_buffer). The upload and the download buffer sizes are
identically sized by default (16KB) but since version 7.54.1, curl can
resize the download buffer into a smaller buffer (as well as larger).
If the download buffer size is set to a value smaller than 10923, the
Curl_smtp_escape_eob() function might overflow the scratch buffer when
sending contents of sufficient size and contents. The curl command line
tool lowers the buffer size when --limit-rate is set to a value smaller
than 16KB.

Impact
======

A remote attacker is able to execute arbitrary code when sending SMTP
data.

References
==========

https://curl.haxx.se/docs/adv_2018-70a2.html
https://security.archlinux.org/CVE-2018-0500