Docs Overview
Project
Bug Bounty Bug Report Code of conduct Dependencies Donate FAQ Features Governance History Install Known Bugs Logo TODO website Info
Protocols
CA Extract HTTP cookies HTTP/3 MQTT SSL certs SSL libs compared URL syntax WebSocket
Releases
Changelog curl CVEs Release Table Version Numbering Vulnerabilities
Tool
Comparison Table curl manpage HTTP Scripting mk-ca-bundle Tutorial When options were added
Who and Why
Companies Copyright Sponsors Thanks The name
curl / Docs / curl CVEs / freeing stack buffer in utf8asn1str
Related:
Audits
Bug Bounty
Changelog
curl CVEs
JSON metadata
Original report
Vulnerability Disclosure
Vulnerabilities Table
Awarded 2540 USD

CVE-2024-6197

freeing stack buffer in utf8asn1str

Project curl Security Advisory, July 24th 2024 - Permalink

VULNERABILITY

libcurl's ASN1 parser has this utf8asn1str() function used for parsing an ASN.1 UTF-8 string. It can detect an invalid field and return error. Unfortunately, when doing so it also invokes free() on a 4 byte local stack buffer.

Most modern malloc implementations detect this error and immediately abort. Some however accept the input pointer and add that memory to its list of available chunks. This leads to the overwriting of nearby stack memory. The content of the overwrite is decided by the free() implementation; likely to be memory pointers and a set of flags.

The most likely outcome of exploiting this flaw is a crash, although it cannot be ruled out that more serious results can be had in special circumstances.

INFO

The vulnerable code path can be triggered by a malicious server offering an especially crafted TLS certificate.

This bug was introduced in a code refactor shipped in the curl 8.6.0 release and is considered a C mistake (likely to have been avoided had we not been using C).

This flaw also affects the curl command line tool.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2024-6197 to this issue.

CWE-590: Free of Memory not on the Heap

Severity: Medium

AFFECTED VERSIONS

The vulnerable code can only be reached when curl is built to use GnuTLS, wolfSSL, Schannel, Secure Transport or mbedTLS. Builds using other TLS backends are not vulnerable.

libcurl is used by many applications, but not always advertised as such!

SOLUTION

RECOMMENDATIONS

We suggest you take one of the following actions immediately, in order of preference:

A - Upgrade curl and libcurl to version 8.9.0

B - Apply the patch to your version and rebuild

C - Build your libcurl with an unaffected TLS backend

TIMELINE

This issue was reported to the curl project on June 19, 2024. We contacted distros@openwall on July 15, 2024.

curl 8.9.0 was released on July 24 2024 around 06:00 UTC, coordinated with the publication of this advisory.

CREDITS

Thanks a lot!