Docs Overview
Project
Bug Bounty Bug Report Code of conduct Dependencies Donate FAQ Features Governance History Install Known Bugs Logo TODO website Info
Protocols
CA Extract HTTP cookies HTTP/3 MQTT SSL certs SSL libs compared URL syntax WebSocket
Releases
Changelog curl CVEs Release Table Version Numbering Vulnerabilities
Tool
Comparison Table curl man page HTTP Scripting mk-ca-bundle Tutorial When options were added
Who and Why
Companies Copyright Sponsors Thanks The name
curl / Docs / curl CVEs / URL Buffer Overflow
Related:
Audits
Bug Bounty
Changelog
curl CVEs
JSON metadata
Vulnerability Disclosure
Vulnerabilities Table

CVE-2005-4077

URL Buffer Overflow

Project curl Security Advisory, December 7th 2005 Permalink

VULNERABILITY

libcurl's URL parser function can overflow a heap based buffer in two ways, if given a too long URL.

These overflows happen if you

1 - pass in a URL with no protocol (like "http://") prefix, using no slash and the string is 256 bytes or longer. This leads to a single zero byte overflow of the heap buffer.

2 - pass in a URL with only a question mark as separator (no slash) between the host and the query part of the URL. This leads to a single zero byte overflow of the heap buffer.

Both overflows can be made with the same input string, leading to two single zero byte overwrites.

The affected flaw cannot be triggered by a redirect, but the long URL must be passed in "directly" to libcurl. It makes this a "local" problem. Of course, lots of programs may still pass in user-provided URLs to libcurl without doing much syntax checking of their own, allowing a user to exploit this vulnerability.

INFO

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2005-4077 to this issue.

CWE-122: Heap-based Buffer Overflow

Severity: High

AFFECTED VERSIONS

Also note that (lib)curl is used by many applications, and not always advertised as such.

SOLUTION

RECOMMENDATIONS

We suggest you take one of the following actions immediately:

A - Upgrade to curl and libcurl 7.15.1

B - Apply the patch to your libcurl version

C - Make sure the URLs you pass to libcurl always have a protocol part prepended

TIMELINE

We were notified on November 29 2005.

Discussions were held and the patch to fix this flaw was made swiftly.

Dec 12 2005: Additional info on what's required for 7.14.0 and earlier was provided in a Redhat bug report. The provided patch was updated and adjusted to the newly discovered facts.

CREDITS

Thanks a lot!