CVE-2018-0500
CVSSN/A
发布时间 :2018-07-11 09:29:00
修订时间 :2018-07-12 21:29:01
NMP    

[原文]Curl_smtp_escape_eob in lib/smtp.c in curl before 7.61.0 has a heap-based buffer overflow that might be exploitable by an attacker who can control the data that curl transmits over SMTP with certain settings (i.e., use of a nonstandard --limit-rate argument or CURLOPT_BUFFERSIZE value).


[CNNVD]CNNVD数据暂缺。


[机译]译文暂缺.

- CVSS (基础分值)

CVSS暂不可用

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0500
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0500
(官方数据源) NVD

- 其它链接及资源

http://www.securitytracker.com/id/1041280
(UNKNOWN)  SECTRACK  1041280
https://curl.haxx.se/docs/adv_2018-70a2.html
(UNKNOWN)  CONFIRM  https://curl.haxx.se/docs/adv_2018-70a2.html
https://github.com/curl/curl/commit/ba1dbd78e5f1ed67c1b8d37ac89d90e5e330b628
(UNKNOWN)  CONFIRM  https://github.com/curl/curl/commit/ba1dbd78e5f1ed67c1b8d37ac89d90e5e330b628
https://usn.ubuntu.com/3710-1/
(UNKNOWN)  UBUNTU  USN-3710-1

- 漏洞信息 (F148501)

Ubuntu Security Notice USN-3710-1 (PacketStormID:F148501)
2018-07-11 00:00:00
Ubuntu  security.ubuntu.com
advisory,remote,denial of service,arbitrary
linux,ubuntu
CVE-2018-0500
[点击下载]

Ubuntu Security Notice 3710-1 - Peter Wu discovered that curl incorrectly handled certain SMTP buffers. A remote attacker could use this issue to cause curl to crash, resulting in a denial of service, or possibly execute arbitrary code.

==========================================================================
Ubuntu Security Notice USN-3710-1
July 11, 2018

curl vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.04 LTS
- Ubuntu 17.10

Summary:

curl could be made to crash or run programs if it received specially
crafted network traffic.

Software Description:
- curl: HTTP, HTTPS, and FTP client and client libraries

Details:

Peter Wu discovered that curl incorrectly handled certain SMTP buffers. A
remote attacker could use this issue to cause curl to crash, resulting in a
denial of service, or possibly execute arbitrary code.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.04 LTS:
  curl                            7.58.0-2ubuntu3.2
  libcurl3-gnutls                 7.58.0-2ubuntu3.2
  libcurl3-nss                    7.58.0-2ubuntu3.2
  libcurl4                        7.58.0-2ubuntu3.2

Ubuntu 17.10:
  curl                            7.55.1-1ubuntu2.6
  libcurl3                        7.55.1-1ubuntu2.6
  libcurl3-gnutls                 7.55.1-1ubuntu2.6
  libcurl3-nss                    7.55.1-1ubuntu2.6

In general, a standard system update will make all the necessary changes.

References:
  https://usn.ubuntu.com/usn/usn-3710-1
  CVE-2018-0500

Package Information:
  https://launchpad.net/ubuntu/+source/curl/7.58.0-2ubuntu3.2
  https://launchpad.net/ubuntu/+source/curl/7.55.1-1ubuntu2.6

    

- 漏洞信息 (F148518)

Slackware Security Advisory - curl Updates (PacketStormID:F148518)
2018-07-12 00:00:00
Slackware Security Team  slackware.com
advisory
linux,slackware
CVE-2018-0500
[点击下载]

Slackware Security Advisory - New curl packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix a security issue.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[slackware-security]  curl (SSA:2018-192-02)

New curl packages are available for Slackware 14.0, 14.1, 14.2, and -current to
fix a security issue.


Here are the details from the Slackware 14.2 ChangeLog:
+--------------------------+
patches/packages/curl-7.61.0-i586-1_slack14.2.txz:  Upgraded.
  This update fixes a buffer overflow in SMTP send.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0500
  (* Security fix *)
+--------------------------+


Where to find the new packages:
+-----------------------------+

Thanks to the friendly folks at the OSU Open Source Lab
(http://osuosl.org) for donating FTP and rsync hosting
to the Slackware project!  :-)

Also see the "Get Slack" section on http://slackware.com for
additional mirror sites near you.

Updated package for Slackware 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/curl-7.61.0-i486-1_slack14.0.txz

Updated package for Slackware x86_64 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/curl-7.61.0-x86_64-1_slack14.0.txz

Updated package for Slackware 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/curl-7.61.0-i486-1_slack14.1.txz

Updated package for Slackware x86_64 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/curl-7.61.0-x86_64-1_slack14.1.txz

Updated package for Slackware 14.2:
ftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/curl-7.61.0-i586-1_slack14.2.txz

Updated package for Slackware x86_64 14.2:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/curl-7.61.0-x86_64-1_slack14.2.txz

Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/curl-7.61.0-i586-1.txz

Updated package for Slackware x86_64 -current:
ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/curl-7.61.0-x86_64-1.txz


MD5 signatures:
+-------------+

Slackware 14.0 package:
fbcfd446b8068e16a43c28ca742f2650  curl-7.61.0-i486-1_slack14.0.txz

Slackware x86_64 14.0 package:
21bf24cfa0acd12a8aa7d7e022a2ca17  curl-7.61.0-x86_64-1_slack14.0.txz

Slackware 14.1 package:
37135b04c91293591591e2118d7f3030  curl-7.61.0-i486-1_slack14.1.txz

Slackware x86_64 14.1 package:
05c6d3cba63f0bdf13398f67f2a70aad  curl-7.61.0-x86_64-1_slack14.1.txz

Slackware 14.2 package:
b570adabc34d5e79b83fb41220825738  curl-7.61.0-i586-1_slack14.2.txz

Slackware x86_64 14.2 package:
ac45db4dd8bed91a4fffcfc34bb117c8  curl-7.61.0-x86_64-1_slack14.2.txz

Slackware -current package:
5c8c2504722db0cddbfa0f6452af5464  n/curl-7.61.0-i586-1.txz

Slackware x86_64 -current package:
3f5d0f918f5d5dc08268e36ed17e9fe6  n/curl-7.61.0-x86_64-1.txz


Installation instructions:
+------------------------+

Upgrade the package as root:
# upgradepkg curl-7.61.0-i586-1_slack14.2.txz


+-----+

Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com

+------------------------------------------------------------------------+
| To leave the slackware-security mailing list:                          |
+------------------------------------------------------------------------+
| Send an email to majordomo@slackware.com with this text in the body of |
| the email message:                                                     |
|                                                                        |
|   unsubscribe slackware-security                                       |
|                                                                        |
| You will get a confirmation message back containing instructions to    |
| complete the process.  Please do not reply to this email address.      |
+------------------------------------------------------------------------+
-----BEGIN PGP SIGNATURE-----

iEYEARECAAYFAltGjU4ACgkQakRjwEAQIjMBBQCghtpyyZsQIuLr/1q/DhyedQ4X
+4gAn2ljECzyNNA+Vp8h/TGcZZKKHZ/t
=FIzW
-----END PGP SIGNATURE-----
    
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站