CVE-2024-6874
macidn punycode buffer overread
Project curl Security Advisory, July 24th 2024 - Permalink
VULNERABILITY
libcurl's URL API function curl_url_get() offers punycode conversions, to and from IDN. Asking to convert a name that is exactly 256 bytes, libcurl ends up reading outside of a stack based buffer when built to use the macidn IDN backend. The conversion function then fills up the provided buffer exactly - but does not null terminate the string.
This flaw can lead to stack contents accidentally getting returned as part of the converted string.
INFO
This bug was introduced curl 8.8.0 release and is considered a C mistake (likely to have been avoided had we not been using C).
This flaw does not affect the curl command line tool.
The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2024-6874 to this issue.
CWE-126: Buffer Over-read
Severity: Low
AFFECTED VERSIONS
The vulnerable code can only be reached when curl is built to use macidn, the native IDN conversion library bundled with Apple's operating systems: macOS, iOS, ipadOS etc. Builds using other IDN backends are not vulnerable.
- Affected version: curl 8.8.0
- Not affected versions: curl < 8.8.0 and >= 8.9.0
- Introduced-in: https://github.com/curl/curl/commit/add22feeef07858307be57
libcurl is used by many applications, but not always advertised as such!
SOLUTION
RECOMMENDATIONS
We suggest you take one of the following actions immediately, in order of preference:
A - Upgrade curl and libcurl to version 8.9.0
B - Apply the patch to your version and rebuild
C - Build your libcurl with an unaffected IDN backend
TIMELINE
This issue was reported to the curl project on July 16, 2024.
curl 8.9.0 was released on July 24 2024 around 06:00 UTC, coordinated with the publication of this advisory.
CREDITS
- Reported-by: z2_
- Patched-by: z2_
Thanks a lot!