<!--X-Body-Begin-->
<!--X-User-Header-->
oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->
By Date
By Thread
</form>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
[SECURITY ADVISORY] curl: Integer overflows in curl_url_set
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
From: Daniel Stenberg <daniel () haxx se>
Date: Wed, 22 May 2019 09:23:51 +0200 (CEST)
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
Integer overflows in `curl_url_set()`
=====================================
Project curl Security Advisory, May 22nd 2019 -
[Permalink](https://curl.haxx.se/docs/CVE-2019-5435.html)
VULNERABILITY
-------------
libcurl contains two integer overflows in the `curl_url_set()` function that
if triggered, can lead to a too small buffer allocation and a subsequent heap
buffer overflow.
The flaws only exist on 32 bit architectures and require excessive string
input lengths.
We are not aware of any exploit of this flaw.
INFO
----
There are two entry points to this issue, on 32 bit architectures.
By asking libcurl to parse a string, passing in a string longer than 2GB to
this API: `curl_url_set(uh, CURLUPART_URL, "string", 0);` triggers the bug.
Asking libcurl to update a URL with a new string, and URL encoded it in the
process, by passing in a string longer than 1.33GB to this API:
`curl_url_set(uh, CURLUPART_*, "string", CURLU_URLENCODE);` triggers the bug.
This bug was introduced in August 2018 in
[commit fb30ac5a2d](https://github.com/curl/curl/commit/fb30ac5a2d63773c52).
The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2019-5435 to this issue.
CWE-131: Incorrect Calculation of Buffer Size
Severity: 3.7 (Low)
AFFECTED VERSIONS
-----------------
- Affected versions: libcurl 7.62.0 to and including 7.64.1
- Not affected versions: libcurl < 7.62.0 and >= libcurl 7.65.0
libcurl is used by many applications, but not always advertised as such.
THE SOLUTION
------------
A [fix for CVE-2019-5435](https://github.com/curl/curl/commit/5fc28510a4664f4) is already merged.
RECOMMENDATIONS
--------------
We suggest you take one of the following actions immediately, in order of
preference:
A - Upgrade curl to version 7.65.0
B - Apply the patch to your version and rebuild
TIMELINE
--------
The issue was reported to the curl project on April 24, 2019. The patch was
communicated to the reporter on April 25, 2019. We contacted distros@openwall
on May 15.
curl 7.65.0 was released on May 22 2019, coordinated with the publication of
this advisory.
CREDITS
-------
Reported by Wenchao Li. Patch by Daniel Stenberg
Thanks a lot!
--
/ daniel.haxx.se | Get the best commercial curl support there is - from me
| Private help, bug fixes, support, ports, new features
| https://www.wolfssl.com/contact/
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
By Date
By Thread
Current thread:
[SECURITY ADVISORY] curl: Integer overflows in curl_url_set Daniel Stenberg (May 22)
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->