cURL / Mailing Lists / curl-library / Single Mail

curl-library

libcurl URL Buffer Overflow Vulnerability

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Wed, 7 Dec 2005 00:17:52 +0100 (CET)

libcurl URL Buffer Overflow Vulnerability
=========================================

Project cURL Security Advisory, December 7th 2005
http://curl.haxx.se/docs/adv_20051207.html

1. VULNERABILITY

libcurl's URL parser function can overflow a malloced buffer in two ways, if
given a too long URL.

These overflows happen if you

  1 - pass in a URL with no protocol (like "http://") prefix, using no slash
      and the string is 256 bytes or longer. This leads to a single zero byte
      overflow of the malloced buffer.

  2 - pass in a URL with only a question mark as separator (no slash) between
      the host and the query part of the URL. This leads to a single zero byte
      overflow of the malloced buffer.

Both overflows can be made with the same input string, leading to two single
zero byte overwrites.

The affected flaw cannot be triggered by a redirect, but the long URL must be
passed in "directly" to libcurl. It makes this a "local" problem. Of course,
lots of programs may still pass in user-provided URLs to libcurl without doing
much syntax checking of their own, allowing a user to exploit this
vulnerability.

There is no known exploit at the time of this writing.

2. AFFECTED VERSIONS

Affected versions: curl and libcurl 7.11.2 to and including 7.15.0
Not affected versions: curl and libcurl 7.11.1 and earlier, 7.15.1 and later

Also note that (lib)curl is used by many applications, and not always
advertised as such.

3. RECOMMENDATIONS

We suggest you take one of the following actions immediately:

I - Upgrade to curl and libcurl 7.15.1

II - Apply the patch http://curl.haxx.se/libcurl-urllen.patch to your
libcurl version and install this

III - Make sure the URLs you pass to libcurl always have a protocol part
prepended

4. TIME LINE

We were notified by Stefan Esser on November 29th, 2005.

Discussions were held and the patch to fix this flaw was made swiftly.

5. CREDITS

Reported to us by Stefan Esser. Thanks a lot!

-- 
  Commercial curl and libcurl Technical Support: http://haxx.se/curl.html

Received on 2005-12-07

This message: [ Message body ]
Next message: Yang Tse: "Re: Making runtests.pl more talkative when unable to find out curl's version"
Previous message: Daniel Stenberg: "Re: multi_threads"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]