{"id":"CURL-CVE-2018-16839","summary":"SASL password overflow via integer overflow","details":"libcurl contains a buffer overrun in the SASL authentication code.\n\nThe internal function `Curl_auth_create_plain_message` fails to correctly\nverify that the passed in lengths for name and password are not too long, then\ncalculates a buffer size to allocate.\n\nOn systems with a 32-bit `size_t`, the math to calculate the buffer size\ntriggers an integer overflow when the username length exceeds 1GB and the\npassword name length is close to 2GB in size. This integer overflow usually\ncauses a tiny buffer to actually get allocated instead of the intended huge\none, making the use of that buffer end up in a heap buffer overflow.\n\n(This bug is similar to\n[CVE-2018-14618](https://curl.se/docs/CVE-2018-14618.html).)","aliases":["CVE-2018-16839"],"modified":"2025-11-12T00:50:45Z","published":"2018-10-31T08:00:00Z","database_specific":{"affects":"both","URL":"https://curl.se/docs/CVE-2018-16839.json","www":"https://curl.se/docs/CVE-2018-16839.html","package":"curl","severity":"Low","last_affected":"7.61.1","CWE":{"id":"CWE-131","desc":"Incorrect Calculation of Buffer Size"}},"affected":[{"ranges":[{"type":"SEMVER","events":[{"introduced":"7.33.0"},{"fixed":"7.62.0"}]},{"type":"GIT","repo":"https://github.com/curl/curl.git","events":[{"introduced":"c56f9797e7feb7c2dc93bc389d4b85cc75220d77"},{"fixed":"f3a24d7916b9173c69a3e0ee790102993833d6c5"}]}],"versions":["7.61.1","7.61.0","7.60.0","7.59.0","7.58.0","7.57.0","7.56.1","7.56.0","7.55.1","7.55.0","7.54.1","7.54.0","7.53.1","7.53.0","7.52.1","7.52.0","7.51.0","7.50.3","7.50.2","7.50.1","7.50.0","7.49.1","7.49.0","7.48.0","7.47.1","7.47.0","7.46.0","7.45.0","7.44.0","7.43.0","7.42.1","7.42.0","7.41.0","7.40.0","7.39.0","7.38.0","7.37.1","7.37.0","7.36.0","7.35.0","7.34.0","7.33.0"],"database_specific":{"vanir_signatures":[{"signature_type":"Function","source":"https://github.com/curl/curl.git/commit/f3a24d7916b9173c69a3e0ee790102993833d6c5","signature_version":"v1","id":"CURL-CVE-2018-16839-712de67c","deprecated":false,"digest":{"length":711,"function_hash":"307941837594799485192212106034451078774"},"target":{"function":"Curl_auth_create_plain_message","file":"lib/vauth/cleartext.c"}},{"signature_type":"Line","source":"https://github.com/curl/curl.git/commit/f3a24d7916b9173c69a3e0ee790102993833d6c5","signature_version":"v1","id":"CURL-CVE-2018-16839-c4e18881","deprecated":false,"digest":{"line_hashes":["323405508741544077634728860040609514286","223299084025646397460911356647096920855","237287603532771469400165005710548925177","294262302604077010113878498613345104589"],"threshold":0.9},"target":{"file":"lib/vauth/cleartext.c"}}],"source":"https://curl.se/docs/CURL-CVE-2018-16839.json"}}],"schema_version":"1.7.3","credits":[{"name":"Harry Sintonen","type":"FINDER"},{"name":"Daniel Stenberg","type":"REMEDIATION_DEVELOPER"}]}