cURL / Mailing Lists / curl-library / Single Mail

curl-library

ADVISORY: libcurl data callback excessive length

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Tue, 9 Feb 2010 12:38:36 +0100 (CET)

                     libcurl data callback excessive length
                     ======================================

Project cURL Security Advisory, February 9th 2010
http://curl.haxx.se/docs/security.html

1. VULNERABILITY

   When downloading data, libcurl hands it over to the application using a
   callback that is registered by the client software. libcurl will then call
   that function repeatedly with data until the transfer is complete. The
   callback is documented to receive a maximum data size of 16K
   (CURL_MAX_WRITE_SIZE).

   Using the affected libcurl version to download compressed content over HTTP,
   an application can ask libcurl to automatically uncompress data. When doing
   so, libcurl can wrongly send data up to 64K in size to the callback which
   thus is much larger than the documented maximum size. An application that
   blindly trusts libcurl's max limit for a fixed buffer size or similar is
   then a possible target for a buffer overflow vulnerability.

   This error is only present in zlib-enabled builds of libcurl and only if
   automatic decompression has been explicitly enabled by the application - it
   is disabled by default.

   There is no known exploit for this problem and we have not found any libcurl
   client software that is vulnerable to this flaw - but we acknowledge that
   there may still be vulnerable software in existence.

2. AFFECTED VERSIONS

   Affected versions: curl and libcurl 7.10.5 to and including 7.19.7
   Not affected versions: curl and libcurl <= 7.10.4 and >= 7.20.0

   If you build curl or libcurl to not use zlib or make your app not tell
   libcurl to do this magic, you are not affected.

   Also note that (lib)curl is used by many applications, and not always
   advertised as such.

3. THE SOLUTION

   libcurl 7.20.0 makes sure that the length argument in the callback never
   exceeds the documented max length.

4. RECOMMENDATIONS

   We suggest you take one of the following actions immediately, in order of
   preference:

   A - Upgrade to curl and libcurl 7.20.0

   B - Apply this patch and rebuild

       http://curl.haxx.se/libcurl-contentencoding.patch

   C - Disable automatic content encoding decompression in your application

   D - Rebuild curl without zlib support

   E - change your code to use 4*CURL_MAX_WRITE_SIZE for buffer sizes

5. TIME LINE

   We were notified by Wesley Miaw on January 9th, 2010.

   We discussed solutions and a first patch was written and tested on January
   9th.

   Vendor-sec was informed on January 10th, 2010.

   curl 7.20.0 was released on February 9th 2010, just before this flaw was
   publicly disclosed.

6. CREDITS

   Reported to us by Wesley Miaw. Thanks a lot!

   Daniel Stenberg wrote the primary patch and this advisory

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html
Received on 2010-02-09