Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

curl: CVE-2018-0500: SMTP send heap buffer overflow

Related Vulnerabilities: CVE-2018-0500  

Source

Debian Bug report logs - #903546
curl: CVE-2018-0500: SMTP send heap buffer overflow

version graph

Package: src:curl; Maintainer for src:curl is Alessandro Ghedini <ghedo@debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Wed, 11 Jul 2018 08:15:01 UTC

Severity: grave

Tags: security, upstream

Found in version curl/7.56.1-1

Fixed in version curl/7.61.0-1

Done: Alessandro Ghedini <ghedo@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Alessandro Ghedini <ghedo@debian.org>:
Bug#903546; Package src:curl. (Wed, 11 Jul 2018 08:15:05 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Alessandro Ghedini <ghedo@debian.org>. (Wed, 11 Jul 2018 08:15:05 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: curl: CVE-2018-0500: SMTP send heap buffer overflow
Date: Wed, 11 Jul 2018 10:11:50 +0200
Source: curl
Version: 7.56.1-1
Severity: grave
Tags: security upstream

Hi,

The following vulnerability was published for curl, filling bug for
tracking purpose.

CVE-2018-0500[0]:
SMTP send heap buffer overflow

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-0500
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0500
[1] https://curl.haxx.se/docs/adv_2018-70a2.html

Regards,
Salvatore

Reply sent to Alessandro Ghedini <ghedo@debian.org>:
You have taken responsibility. (Sat, 11 Aug 2018 13:21:14 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Sat, 11 Aug 2018 13:21:14 GMT) (full text, mbox, link).

Message #10 received at 903546-close@bugs.debian.org (full text, mbox, reply):

From: Alessandro Ghedini <ghedo@debian.org>
To: 903546-close@bugs.debian.org
Subject: Bug#903546: fixed in curl 7.61.0-1
Date: Sat, 11 Aug 2018 13:19:36 +0000
Source: curl
Source-Version: 7.61.0-1

We believe that the bug you reported is fixed in the latest version of
curl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 903546@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Alessandro Ghedini <ghedo@debian.org> (supplier of updated curl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 11 Aug 2018 13:32:28 +0100
Source: curl
Binary: curl libcurl4 libcurl3-gnutls libcurl3-nss libcurl4-openssl-dev libcurl4-gnutls-dev libcurl4-nss-dev libcurl4-doc
Architecture: source
Version: 7.61.0-1
Distribution: unstable
Urgency: medium
Maintainer: Alessandro Ghedini <ghedo@debian.org>
Changed-By: Alessandro Ghedini <ghedo@debian.org>
Description:
 curl       - command line tool for transferring data with URL syntax
 libcurl3-gnutls - easy-to-use client-side URL transfer library (GnuTLS flavour)
 libcurl3-nss - easy-to-use client-side URL transfer library (NSS flavour)
 libcurl4   - easy-to-use client-side URL transfer library (OpenSSL flavour)
 libcurl4-doc - documentation for libcurl
 libcurl4-gnutls-dev - development files and documentation for libcurl (GnuTLS flavour)
 libcurl4-nss-dev - development files and documentation for libcurl (NSS flavour)
 libcurl4-openssl-dev - development files and documentation for libcurl (OpenSSL flavour)
Closes: 883174 888449 902628 903546
Changes:
 curl (7.61.0-1) unstable; urgency=medium
 .
   * New upstream release
     + Fix SMTP send heap buffer overflow as per CVE-2018-0500 (Closes: #903546)
       https://curl.haxx.se/docs/adv_2018-70a2.html
     + Fix some crashes related to HTTP/2 (Closes: #902628)
   * Disable libssh4 on Ubuntu.
     Thanks to Gianfranco Costamagna for the patch (Closes: #888449)
   * Bump Standards-Version to 4.2.0 (no changes needed)
   * Don't configure default CA bundle with OpenSSL and GnuTLS (Closes: #883174)
Checksums-Sha1:
 dcf093da928a4d426bf2e3cec1c75658a784def3 2662 curl_7.61.0-1.dsc
 34c0f89e01c27070fe3b6f86371791390f464602 3964862 curl_7.61.0.orig.tar.gz
 44217062c4c8d1865cc4945076b544543bc0094f 28348 curl_7.61.0-1.debian.tar.xz
 8ad4ea8cf3e79e73288018fdd3ff27979d9d1c7f 11241 curl_7.61.0-1_amd64.buildinfo
Checksums-Sha256:
 f7a9c3d60f75ff16dae8bde2efc632d12b5d306d2dd2f0b7bad5ebc61c3f2830 2662 curl_7.61.0-1.dsc
 64141f0db4945268a21b490d58806b97c615d3d0c75bf8c335bbe0efd13b45b5 3964862 curl_7.61.0.orig.tar.gz
 3bdcd5605cf1e7fdf10aa7009e55ae16fd518e6ae193e262ade19a1d24ce5134 28348 curl_7.61.0-1.debian.tar.xz
 a18d09d63f19bac9e479335b0dba7ade9380b3dbfb1638094c65b179d1b36864 11241 curl_7.61.0-1_amd64.buildinfo
Files:
 806380fc99162f0062c118202d9731dc 2662 web optional curl_7.61.0-1.dsc
 ef343f64daab4691f528697b58a2d984 3964862 web optional curl_7.61.0.orig.tar.gz
 f8e140d57aa9ebf8fd59cf88b5ba3187 28348 web optional curl_7.61.0-1.debian.tar.xz
 9a51930dab5a720745ae8cc6607db3b5 11241 web optional curl_7.61.0-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEBsId305pBx+F583DbwzL4CFiRygFAltu3qwACgkQbwzL4CFi
RyhBqA/8DbwgvjjRkO/fXo30hfkgn+6EI/mIErGedAHpqJwwHMcWz2WHYU9Zmqti
YV4CKoBD+gDol+bYCcNUePrjc1P+WZLjTqQGJGzhO+RR5YwlI/CO8fRRn2SMFd40
v9kSqvT9RP2uQi0bxKiDJhb1vuv2vn6mXDR2RKfnULJAG3LDOs/VIetljp240znw
thZKfzwHbKbliFRUu/1uzVJ9zN3zz38gGl3Dlq5/bpC+taUnTLL2AUoGD5DTU8l+
hRhPkSwM/yKHYLytJHvcJVY6USKP9xi75j+2ftyjr/AZyrN9dMTqCOYJs+YUVjve
sM8KrOvMcOV4Wb5ZTgSBCm/p4dqKuj1MnUa1k2+7/onMQu+VlZI6uLrhm/L148uB
ouD7mt0aqiBQPrsdpRjwTEq91rtHvBRI7nhMGQuONTBwY9+3RJl3KL5IpAkKjNj0
YmtBf1Vlx6FG6alp6mMjV4FX5gH4jHT5MgAfNzFl/lpP1GPEMmJ9/utyNpx3ev6K
pQ03nZtk9EKN6MM4xXOi0X8WBl7+59fxXOJ9GCBHEMZZWsTGFYkeVKD5c0ErJH/W
c2DVR9CAixKD/ZGB0Lcm+jgQUQCxMEZxEvbVDuxuUGrd43YgT58nXVCD1gQV4C/e
Ahxq3OLqoluhTzLe1GSJiMHZO56y+O+cvdwub2lA+c9IGp/7ViA=
=cSOr
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 09 Sep 2018 07:27:10 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 18:37:44 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started