libcurl - (bulletinjan2019)ID: oval:org.secpod.oval:def:2103499 | Date: (C)2019-12-31 (M)2022-10-10 |
Class: PATCH | Family: unix |
libcurl versions from 7.34.0 to before 7.64.0 are vulnerable to a heap out-of-bounds read in the code handling the end-of-response for SMTP. If the buffer passed to `smtp_endofresp()` isn"t NUL terminated and contains no character ending the parsed number, and `len` is set to 5, then the `strtol()` call reads beyond the allocated buffer. The read contents will not be returned to the caller.