curl / Mailing Lists / curl-users / Single Mail
Buy commercial curl support. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder Daniel himself.

[SECURITY ADVISORY] curl: CVE-2024-6874: macidn punycode buffer overread

From: Daniel Stenberg via curl-users <curl-users_at_lists.haxx.se>
Date: Wed, 24 Jul 2024 08:35:28 +0200 (CEST)

macidn punycode buffer overread
===============================

Project curl Security Advisory, July 24th 2024 -
[Permalink](https://curl.se/docs/CVE-2024-6874.html)

VULNERABILITY
-------------

libcurl's URL API function
[curl_url_get()](https://curl.se/libcurl/c/curl_url_get.html) offers punycode
conversions, to and from IDN. Asking to convert a name that is exactly 256
bytes, libcurl ends up reading outside of a stack based buffer when built to
use the *macidn* IDN backend. The conversion function then fills up the
provided buffer exactly - but does not null terminate the string.

This flaw can lead to stack contents accidently getting returned as part of
the converted string.

INFO
----
This bug was introduced curl 8.8.0 release and is considered a *C mistake*
(likely to have been avoided had we not been using C).
This flaw does not affect the curl command line tool.
The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2024-6874 to this issue.
CWE-126: Buffer Over-read
Severity: Low
AFFECTED VERSIONS
-----------------
The vulnerable code can only be reached when curl is built to use macidn, the
native IDN conversion library bundled with Apple's operating systems: macOS,
iOS, ipadOS etc. Builds using other IDN backends are not vulnerable.
- Affected version: curl 8.8.0
- Not affected versions: curl < 8.8.0 and >= 8.9.0
- Introduced-in: https://github.com/curl/curl/commit/add22feeef07858307be57
libcurl is used by many applications, but not always advertised as such!
SOLUTION
------------
- Fixed-in: https://github.com/curl/curl/commit/686d54baf1df6e0775
RECOMMENDATIONS
---------------
We suggest you take one of the following actions immediately, in order of
preference:
  A - Upgrade curl and libcurl to version 8.9.0
  B - Apply the patch to your version and rebuild
  C - Build your libcurl with an unaffected IDN backend
TIMELINE
---------
This issue was reported to the curl project on July 16, 2024.
curl 8.9.0 was released on July 24 2024 around 06:00 UTC, coordinated with
the publication of this advisory.
CREDITS
-------
- Reported-by: z2_
- Patched-by: z2_
Thanks a lot!
-- 
  / daniel.haxx.se
  | Commercial curl support up to 24x7 is available!
  | Private help, bug fixes, support, ports, new features
  | https://curl.se/support.html
-- 
Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users
Etiquette:   https://curl.se/mail/etiquette.html
Received on 2024-07-24