Debian Bug report logs - #342339
Off-by-One heap overflow in curl's URL parsing code

version graph

Package: curl; Maintainer for curl is Alessandro Ghedini <ghedo@debian.org>; Source for curl is src:curl.

Reported by: Moritz Muehlenhoff <jmm@inutil.org>

Date: Wed, 7 Dec 2005 09:48:02 UTC

Severity: important

Tags: security

Found in versions curl/7.15.0-5.1, curl/7.13.2-2

Fixed in version curl/7.15.1-1

Done: Domenico Andreoli <cavok@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Domenico Andreoli <cavok@debian.org>:
Bug#342339; Package curl. Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Domenico Andreoli <cavok@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Off-by-One heap overflow in curl's URL parsing code
Date: Wed, 07 Dec 2005 10:34:52 +0100
Package: curl
Version: 7.15.0-5.1
Severity: important
Tags: security

Quoting Stefan Esser:
| During a quick scan of the URL parsing code within libcurl, it was
| discovered, that certain malformed URLs trigger an off-by-one(two)
| bufferoverflow. This may lead to unintended arbitrary code execution.

| Because the attacker must be able to force curl to load such an URL,
| which is not possible through a HTTP redirect, the impact is low.
| However a local attacker might use this vulnerability to break out
| of safe_mode/open_basedir restrictions when PHP is compiled with
| libcurl support.

Please see http://www.hardened-php.net/advisory_242005.109.html for
more information; it's fixed in 7.15.1

Cheers,
        Moritz

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.14-2-686
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)

Versions of packages curl depends on:
ii  libc6                         2.3.5-8.1  GNU C Library: Shared libraries an
ii  libcomerr2                    1.38-2     common error description library
ii  libcurl3                      7.15.0-5.1 Multi-protocol file transfer libra
ii  libidn11                      0.5.18-1   GNU libidn library, implementation
ii  libkrb53                      1.4.3-3    MIT Kerberos runtime libraries
ii  libssl0.9.8                   0.9.8a-4   SSL shared libraries
ii  zlib1g                        1:1.2.3-8  compression library - runtime

curl recommends no packages.

-- no debconf information



Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#342339; Package curl. Full text and rfc822 format available.

Acknowledgement sent to Domenico Andreoli <cavok@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #10 received at 342339@bugs.debian.org (full text, mbox):

From: Domenico Andreoli <cavok@debian.org>
To: Moritz Muehlenhoff <jmm@inutil.org>
Cc: 342339@bugs.debian.org, control@bugs.debian.org
Subject: Re: Bug#342339: Off-by-One heap overflow in curl's URL parsing code
Date: Wed, 7 Dec 2005 11:34:29 +0100
[Message part 1 (text/plain, inline)]
found 342339 7.13.2-2
thanks

On Wed, Dec 07, 2005 at 10:34:52AM +0100, Moritz Muehlenhoff wrote:
> 

hi,

> Quoting Stefan Esser:
> | During a quick scan of the URL parsing code within libcurl, it was
> | discovered, that certain malformed URLs trigger an off-by-one(two)
> | bufferoverflow. This may lead to unintended arbitrary code execution.
> 
> | Because the attacker must be able to force curl to load such an URL,
> | which is not possible through a HTTP redirect, the impact is low.
> | However a local attacker might use this vulnerability to break out
> | of safe_mode/open_basedir restrictions when PHP is compiled with
> | libcurl support.
> 
> Please see http://www.hardened-php.net/advisory_242005.109.html for
> more information; it's fixed in 7.15.1

i'm already on it, thank you :)

cheers
domenico

-----[ Domenico Andreoli, aka cavok
 --[ http://people.debian.org/~cavok/gpgkey.asc
   ---[ 3A0F 2F80 F79C 678A 8936  4FEE 0677 9033 A20E BC50
[signature.asc (application/pgp-signature, inline)]

Bug marked as found in version 7.13.2-2. Request was from Domenico Andreoli <cavok@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Domenico Andreoli <cavok@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #17 received at 342339-close@bugs.debian.org (full text, mbox):

From: Domenico Andreoli <cavok@debian.org>
To: 342339-close@bugs.debian.org
Subject: Bug#342339: fixed in curl 7.15.1-1
Date: Wed, 07 Dec 2005 04:02:08 -0800
Source: curl
Source-Version: 7.15.1-1

We believe that the bug you reported is fixed in the latest version of
curl, which is due to be installed in the Debian FTP archive:

curl_7.15.1-1.diff.gz
  to pool/main/c/curl/curl_7.15.1-1.diff.gz
curl_7.15.1-1.dsc
  to pool/main/c/curl/curl_7.15.1-1.dsc
curl_7.15.1-1_i386.deb
  to pool/main/c/curl/curl_7.15.1-1_i386.deb
curl_7.15.1.orig.tar.gz
  to pool/main/c/curl/curl_7.15.1.orig.tar.gz
libcurl3-dbg_7.15.1-1_i386.deb
  to pool/main/c/curl/libcurl3-dbg_7.15.1-1_i386.deb
libcurl3-dev_7.15.1-1_all.deb
  to pool/main/c/curl/libcurl3-dev_7.15.1-1_all.deb
libcurl3-gnutls-dev_7.15.1-1_i386.deb
  to pool/main/c/curl/libcurl3-gnutls-dev_7.15.1-1_i386.deb
libcurl3-gnutls_7.15.1-1_i386.deb
  to pool/main/c/curl/libcurl3-gnutls_7.15.1-1_i386.deb
libcurl3-openssl-dev_7.15.1-1_i386.deb
  to pool/main/c/curl/libcurl3-openssl-dev_7.15.1-1_i386.deb
libcurl3_7.15.1-1_i386.deb
  to pool/main/c/curl/libcurl3_7.15.1-1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 342339@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Domenico Andreoli <cavok@debian.org> (supplier of updated curl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed,  7 Dec 2005 11:11:38 +0100
Source: curl
Binary: libcurl3-dbg libcurl3 libcurl3-dev libcurl3-gnutls-dev libcurl3-openssl-dev libcurl3-gnutls curl
Architecture: source i386 all
Version: 7.15.1-1
Distribution: unstable
Urgency: low
Maintainer: Domenico Andreoli <cavok@debian.org>
Changed-By: Domenico Andreoli <cavok@debian.org>
Description: 
 curl       - Get a file from an HTTP, HTTPS, FTP or GOPHER server
 libcurl3   - Multi-protocol file transfer library
 libcurl3-dbg - libcurl compiled with debug symbols
 libcurl3-dev - Transitional package to libcurl3-openssl-dev
 libcurl3-gnutls - Multi-protocol file transfer library
 libcurl3-gnutls-dev - Development files and documentation for libcurl
 libcurl3-openssl-dev - Development files and documentation for libcurl
Closes: 342339
Changes: 
 curl (7.15.1-1) unstable; urgency=low
 .
   * New upstream release:
     - fixed buffer overflow in URL parser function (closes: #342339).
Files: 
 b9f37e421b29625b34236d2cce0de9bd 943 web optional curl_7.15.1-1.dsc
 63be206109486d4653c73823aa2b34fa 1769992 web optional curl_7.15.1.orig.tar.gz
 970f0c9138eec752ba8bc2a83cabc902 181898 web optional curl_7.15.1-1.diff.gz
 4ecc01783055bb626c3f9c8dd67959b3 167840 web optional curl_7.15.1-1_i386.deb
 62a415c03cfab48927ebf6c91d6e7779 165590 libs optional libcurl3_7.15.1-1_i386.deb
 221883f70851989a8a4292ce15274351 159920 libs optional libcurl3-gnutls_7.15.1-1_i386.deb
 eab7b49366b78dbb5ced4f214827c402 710818 libdevel optional libcurl3-openssl-dev_7.15.1-1_i386.deb
 66513c0a5eb783d709e4b57c1811211e 704254 libdevel optional libcurl3-gnutls-dev_7.15.1-1_i386.deb
 76b57528a1a107676a878ae925ff02ac 30222 libdevel optional libcurl3-dev_7.15.1-1_all.deb
 c580f1003f3215dc96d90fc4030d634c 509682 libdevel extra libcurl3-dbg_7.15.1-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDlszUBneQM6IOvFARAos5AKDE4qc5KfMmLEgkkEd4QQ47789WGgCbBhKx
kb9M+YT4mqTFdlaE41Qwu4Q=
=LZV+
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#342339; Package curl. Full text and rfc822 format available.

Acknowledgement sent to Domenico Andreoli <cavok@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #22 received at 342339@bugs.debian.org (full text, mbox):

From: Domenico Andreoli <cavok@debian.org>
To: debian-security@lists.debian.org
Cc: 342339@bugs.debian.org
Subject: curl 7.13.2-2sarge4 fixes #342339 for sarge and CVE-2005-4077
Date: Fri, 9 Dec 2005 10:27:12 +0100
[Message part 1 (text/plain, inline)]
hi,

  i prepared curl 7.13.2-2sarge4 which fixes a buffer overflow in URL
parser function (#342339, CVE-2005-4077).

complete description of the breach is available at
http://curl.haxx.se/docs/adv_20051207.html,
http://www.hardened-php.net/advisory_242005.109.html,
http://www.securityfocus.com/archive/1/archive/1/418849/100/0/threaded.

i uploaded it to http://people.debian.org/~cavok/curl/ for your revision.

$ debdiff curl_7.13.2-2sarge3.dsc curl_7.13.2-2sarge4.dsc
diff -u curl-7.13.2/debian/changelog curl-7.13.2/debian/changelog
--- curl-7.13.2/debian/changelog
+++ curl-7.13.2/debian/changelog
@@ -1,3 +1,10 @@
+curl (7.13.2-2sarge4) stable-security; urgency=high
+
+  * Fixed buffer overflow in URL parser function (closes: #342339).
+    CVE-2005-4077
+
+ -- Domenico Andreoli <cavok@debian.org>  Wed,  7 Dec 2005 13:21:53 +0100
+
 curl (7.13.2-2sarge3) stable-security; urgency=high
 
   * Fixed user+domain name buffer overflow in the NTLM code
only in patch2:
unchanged:
--- curl-7.13.2.orig/lib/url.c
+++ curl-7.13.2/lib/url.c
@@ -2318,12 +2318,18 @@
   if(urllen < LEAST_PATH_ALLOC)
     urllen=LEAST_PATH_ALLOC;
 
-  conn->pathbuffer=(char *)malloc(urllen);
+  /*
+   * We malloc() the buffers below urllen+2 to make room for to possibilities:
+   * 1 - an extra terminating zero
+   * 2 - an extra slash (in case a syntax like "www.host.com?moo" is used)
+   */
+
+  conn->pathbuffer=(char *)malloc(urllen+2);
   if(NULL == conn->pathbuffer)
     return CURLE_OUT_OF_MEMORY; /* really bad error */
   conn->path = conn->pathbuffer;
 
-  conn->host.rawalloc=(char *)malloc(urllen);
+  conn->host.rawalloc=(char *)malloc(urllen+2);
   if(NULL == conn->host.rawalloc)
     return CURLE_OUT_OF_MEMORY;
   conn->host.name = conn->host.rawalloc;
$

regards
domenico

-----[ Domenico Andreoli, aka cavok
 --[ http://people.debian.org/~cavok/gpgkey.asc
   ---[ 3A0F 2F80 F79C 678A 8936  4FEE 0677 9033 A20E BC50
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Domenico Andreoli <cavok@debian.org>:
Bug#342339; Package curl. Full text and rfc822 format available.

Acknowledgement sent to "omnya Lambert" <omnyaLambert@adiplastics.com>:
Extra info received and forwarded to list. Copy sent to Domenico Andreoli <cavok@debian.org>. Full text and rfc822 format available.

Message #27 received at 342339@bugs.debian.org (full text, mbox):

From: "omnya Lambert" <omnyaLambert@adiplastics.com>
To: <342339@bugs.debian.org>
Subject: ClipShare Sharing Matrix FProt
Date: Fri, 20 Apr 2007 15:37:50 +0600
Default port on which the RPCAP daemon is waiting for connections.

AN ALLE FINANZINVESTOREN!
DIESE AKTIE WIRD DURCHSTARTEN!
FREITAG 20. APRIL STARTET DIE HAUSSE!
REALISIERTER KURSGEWINN VON 400%+ IN 5 TAGEN!

Symbol: G7Q.F
Company: COUNTY LINE ENERGY
5 Tages Kursziel: 0.95
Schlusskurs: 0.21
WKN:  A0J3B0
ISIN: US2224791077
Markt: Frankfurt

LASSEN SIE SICH DIESE CHANCE NICHT ENTGEHEN!
G7Q WIRD WIE EINE RAKETE DURCHSTARTEN!
UNSERE ERWARTUNGEN WIRD G7Q.F UBERTREFFEN!

Definition at line 39 of file rpcapd.




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 25 Jun 2007 07:24:37 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 08:03:53 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.