Docs Overview
Project
Bug Bounty Bug Report Code of conduct Dependencies Donate FAQ Features Governance History Install Known Bugs Logo TODO website Info
Protocols
CA Extract HTTP cookies HTTP/3 MQTT SSL certs SSL libs compared URL syntax WebSocket
Releases
Changelog curl CVEs Release Table Version Numbering Vulnerabilities
Tool
Comparison Table curl man page HTTP Scripting mk-ca-bundle Tutorial When options were added
Who and Why
Companies Copyright Sponsors Thanks The name
curl / Docs / curl CVEs / .netrc parser out-of-bounds access
Related:
Audits
Bug Bounty
Changelog
curl CVEs
JSON metadata
Original report
Vulnerability Disclosure
Vulnerabilities Table
Awarded 480 USD

CVE-2022-35260

.netrc parser out-of-bounds access

Project curl Security Advisory, October 26 2022 - Permalink

VULNERABILITY

curl can be told to parse a .netrc file for credentials. If that file ends in a line with consecutive non-white space letters and no newline, curl could read past the end of the stack-based buffer, and if the read works, write a zero byte possibly beyond its boundary.

This does in most cases cause a segfault or similar, but circumstances might also cause different outcomes.

If a malicious user can provide a custom netrc file to an application or otherwise affect its contents, this flaw could be used as denial-of-service.

INFO

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2022-35260 to this issue.

CWE-121: Stack-based Buffer Overflow

Severity: low

AFFECTED VERSIONS

libcurl is used by many applications, but not always advertised as such!

SOLUTION

RECOMMENDATIONS

A - Upgrade curl to version 7.86.0

B - Apply the patch to your local version

C - Do not use .netrc files

TIMELINE

This issue was reported to the curl project on October 3, 2022. We contacted distros@openwall on October 18, 2022.

libcurl 7.86.0 was released on October 26 2022, coordinated with the publication of this advisory.

CREDITS

Thanks a lot!