CVE-2006-1061
TFTP Packet Buffer Overflow
Project curl Security Advisory, March 20th 2006 Permalink
VULNERABILITY
libcurl uses the given file part of a TFTP URL in a manner that allows a malicious user to overflow a heap-based memory buffer due to the lack of boundary check.
This overflow happens if you pass in a URL with a TFTP protocol prefix ("tftp://"), using a valid host and a path part that is longer than 512 bytes.
The affected flaw can be triggered by a redirect, if curl/libcurl is told to follow redirects and an HTTP server points the client to a tftp URL with the characteristics described above.
INFO
The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2006-1061 to this issue.
CWE-122: Heap-based Buffer Overflow
Severity: High
AFFECTED VERSIONS
- Affected versions: curl and libcurl 7.15.0 to and including 7.15.2
- Not affected versions: curl and libcurl < 7.14.1 and curl >= 7.15.3
libcurl 7.15.1 and 7.15.2 contain code that prevents this code from being executed on architectures where a struct is not of the same assumed packed size it has on x86, thus they are not vulnerable. For exact details on this, please review the code and patch.
curl is used by many applications but not always advertised as such.
SOLUTION
RECOMMENDATIONS
We suggest you take one of the following actions immediately:
A - Upgrade to curl and libcurl 7.15.3
B - Apply the patch to your libcurl version
C - Build curl with TFTP disabled with configure --disable-tftp
TIMELINE
We were notified March 10, 2006. The notification email contained a valid patch.
Daniel did not read the mail until the 12th due to vacations.
curl 7.15.3 was released on March 20 2006, just before this flaw was publicly disclosed.
CREDITS
- Reported-by: Ulf Harnhammar
- Patched-by: Daniel Stenberg
Thanks a lot!