Debian Bug report logs -
#342339
Off-by-One heap overflow in curl's URL parsing code
Reported by: Moritz Muehlenhoff <jmm@inutil.org>
Date: Wed, 7 Dec 2005 09:48:02 UTC
Severity: important
Tags: security
Found in versions curl/7.15.0-5.1, curl/7.13.2-2
Fixed in version curl/7.15.1-1
Done: Domenico Andreoli <cavok@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Domenico Andreoli <cavok@debian.org>:
Bug#342339; Package curl.
(full text, mbox, link).
Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Domenico Andreoli <cavok@debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: curl
Version: 7.15.0-5.1
Severity: important
Tags: security
Quoting Stefan Esser:
| During a quick scan of the URL parsing code within libcurl, it was
| discovered, that certain malformed URLs trigger an off-by-one(two)
| bufferoverflow. This may lead to unintended arbitrary code execution.
| Because the attacker must be able to force curl to load such an URL,
| which is not possible through a HTTP redirect, the impact is low.
| However a local attacker might use this vulnerability to break out
| of safe_mode/open_basedir restrictions when PHP is compiled with
| libcurl support.
Please see http://www.hardened-php.net/advisory_242005.109.html for
more information; it's fixed in 7.15.1
Cheers,
Moritz
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.14-2-686
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)
Versions of packages curl depends on:
ii libc6 2.3.5-8.1 GNU C Library: Shared libraries an
ii libcomerr2 1.38-2 common error description library
ii libcurl3 7.15.0-5.1 Multi-protocol file transfer libra
ii libidn11 0.5.18-1 GNU libidn library, implementation
ii libkrb53 1.4.3-3 MIT Kerberos runtime libraries
ii libssl0.9.8 0.9.8a-4 SSL shared libraries
ii zlib1g 1:1.2.3-8 compression library - runtime
curl recommends no packages.
-- no debconf information
Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#342339; Package curl.
(full text, mbox, link).
Acknowledgement sent to Domenico Andreoli <cavok@debian.org>:
Extra info received and forwarded to list.
(full text, mbox, link).
Message #10 received at 342339@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
found 342339 7.13.2-2
thanks
On Wed, Dec 07, 2005 at 10:34:52AM +0100, Moritz Muehlenhoff wrote:
>
hi,
> Quoting Stefan Esser:
> | During a quick scan of the URL parsing code within libcurl, it was
> | discovered, that certain malformed URLs trigger an off-by-one(two)
> | bufferoverflow. This may lead to unintended arbitrary code execution.
>
> | Because the attacker must be able to force curl to load such an URL,
> | which is not possible through a HTTP redirect, the impact is low.
> | However a local attacker might use this vulnerability to break out
> | of safe_mode/open_basedir restrictions when PHP is compiled with
> | libcurl support.
>
> Please see http://www.hardened-php.net/advisory_242005.109.html for
> more information; it's fixed in 7.15.1
i'm already on it, thank you :)
cheers
domenico
-----[ Domenico Andreoli, aka cavok
--[ http://people.debian.org/~cavok/gpgkey.asc
---[ 3A0F 2F80 F79C 678A 8936 4FEE 0677 9033 A20E BC50
[signature.asc (application/pgp-signature, inline)]
Bug marked as found in version 7.13.2-2.
Request was from Domenico Andreoli <cavok@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Reply sent to Domenico Andreoli <cavok@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #17 received at 342339-close@bugs.debian.org (full text, mbox, reply):
Source: curl
Source-Version: 7.15.1-1
We believe that the bug you reported is fixed in the latest version of
curl, which is due to be installed in the Debian FTP archive:
curl_7.15.1-1.diff.gz
to pool/main/c/curl/curl_7.15.1-1.diff.gz
curl_7.15.1-1.dsc
to pool/main/c/curl/curl_7.15.1-1.dsc
curl_7.15.1-1_i386.deb
to pool/main/c/curl/curl_7.15.1-1_i386.deb
curl_7.15.1.orig.tar.gz
to pool/main/c/curl/curl_7.15.1.orig.tar.gz
libcurl3-dbg_7.15.1-1_i386.deb
to pool/main/c/curl/libcurl3-dbg_7.15.1-1_i386.deb
libcurl3-dev_7.15.1-1_all.deb
to pool/main/c/curl/libcurl3-dev_7.15.1-1_all.deb
libcurl3-gnutls-dev_7.15.1-1_i386.deb
to pool/main/c/curl/libcurl3-gnutls-dev_7.15.1-1_i386.deb
libcurl3-gnutls_7.15.1-1_i386.deb
to pool/main/c/curl/libcurl3-gnutls_7.15.1-1_i386.deb
libcurl3-openssl-dev_7.15.1-1_i386.deb
to pool/main/c/curl/libcurl3-openssl-dev_7.15.1-1_i386.deb
libcurl3_7.15.1-1_i386.deb
to pool/main/c/curl/libcurl3_7.15.1-1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 342339@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Domenico Andreoli <cavok@debian.org> (supplier of updated curl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Wed, 7 Dec 2005 11:11:38 +0100
Source: curl
Binary: libcurl3-dbg libcurl3 libcurl3-dev libcurl3-gnutls-dev libcurl3-openssl-dev libcurl3-gnutls curl
Architecture: source i386 all
Version: 7.15.1-1
Distribution: unstable
Urgency: low
Maintainer: Domenico Andreoli <cavok@debian.org>
Changed-By: Domenico Andreoli <cavok@debian.org>
Description:
curl - Get a file from an HTTP, HTTPS, FTP or GOPHER server
libcurl3 - Multi-protocol file transfer library
libcurl3-dbg - libcurl compiled with debug symbols
libcurl3-dev - Transitional package to libcurl3-openssl-dev
libcurl3-gnutls - Multi-protocol file transfer library
libcurl3-gnutls-dev - Development files and documentation for libcurl
libcurl3-openssl-dev - Development files and documentation for libcurl
Closes: 342339
Changes:
curl (7.15.1-1) unstable; urgency=low
.
* New upstream release:
- fixed buffer overflow in URL parser function (closes: #342339).
Files:
b9f37e421b29625b34236d2cce0de9bd 943 web optional curl_7.15.1-1.dsc
63be206109486d4653c73823aa2b34fa 1769992 web optional curl_7.15.1.orig.tar.gz
970f0c9138eec752ba8bc2a83cabc902 181898 web optional curl_7.15.1-1.diff.gz
4ecc01783055bb626c3f9c8dd67959b3 167840 web optional curl_7.15.1-1_i386.deb
62a415c03cfab48927ebf6c91d6e7779 165590 libs optional libcurl3_7.15.1-1_i386.deb
221883f70851989a8a4292ce15274351 159920 libs optional libcurl3-gnutls_7.15.1-1_i386.deb
eab7b49366b78dbb5ced4f214827c402 710818 libdevel optional libcurl3-openssl-dev_7.15.1-1_i386.deb
66513c0a5eb783d709e4b57c1811211e 704254 libdevel optional libcurl3-gnutls-dev_7.15.1-1_i386.deb
76b57528a1a107676a878ae925ff02ac 30222 libdevel optional libcurl3-dev_7.15.1-1_all.deb
c580f1003f3215dc96d90fc4030d634c 509682 libdevel extra libcurl3-dbg_7.15.1-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFDlszUBneQM6IOvFARAos5AKDE4qc5KfMmLEgkkEd4QQ47789WGgCbBhKx
kb9M+YT4mqTFdlaE41Qwu4Q=
=LZV+
-----END PGP SIGNATURE-----
Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#342339; Package curl.
(full text, mbox, link).
Acknowledgement sent to Domenico Andreoli <cavok@debian.org>:
Extra info received and forwarded to list.
(full text, mbox, link).
Message #22 received at 342339@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
hi,
i prepared curl 7.13.2-2sarge4 which fixes a buffer overflow in URL
parser function (#342339, CVE-2005-4077).
complete description of the breach is available at
http://curl.haxx.se/docs/adv_20051207.html,
http://www.hardened-php.net/advisory_242005.109.html,
http://www.securityfocus.com/archive/1/archive/1/418849/100/0/threaded.
i uploaded it to http://people.debian.org/~cavok/curl/ for your revision.
$ debdiff curl_7.13.2-2sarge3.dsc curl_7.13.2-2sarge4.dsc
diff -u curl-7.13.2/debian/changelog curl-7.13.2/debian/changelog
--- curl-7.13.2/debian/changelog
+++ curl-7.13.2/debian/changelog
@@ -1,3 +1,10 @@
+curl (7.13.2-2sarge4) stable-security; urgency=high
+
+ * Fixed buffer overflow in URL parser function (closes: #342339).
+ CVE-2005-4077
+
+ -- Domenico Andreoli <cavok@debian.org> Wed, 7 Dec 2005 13:21:53 +0100
+
curl (7.13.2-2sarge3) stable-security; urgency=high
* Fixed user+domain name buffer overflow in the NTLM code
only in patch4:
unchanged:
--- curl-7.13.2.orig/lib/url.c
+++ curl-7.13.2/lib/url.c
@@ -2318,12 +2318,18 @@
if(urllen < LEAST_PATH_ALLOC)
urllen=LEAST_PATH_ALLOC;
- conn->pathbuffer=(char *)malloc(urllen);
+ /*
+ * We malloc() the buffers below urllen+2 to make room for to possibilities:
+ * 1 - an extra terminating zero
+ * 2 - an extra slash (in case a syntax like "www.host.com?moo" is used)
+ */
+
+ conn->pathbuffer=(char *)malloc(urllen+2);
if(NULL == conn->pathbuffer)
return CURLE_OUT_OF_MEMORY; /* really bad error */
conn->path = conn->pathbuffer;
- conn->host.rawalloc=(char *)malloc(urllen);
+ conn->host.rawalloc=(char *)malloc(urllen+2);
if(NULL == conn->host.rawalloc)
return CURLE_OUT_OF_MEMORY;
conn->host.name = conn->host.rawalloc;
$
regards
domenico
-----[ Domenico Andreoli, aka cavok
--[ http://people.debian.org/~cavok/gpgkey.asc
---[ 3A0F 2F80 F79C 678A 8936 4FEE 0677 9033 A20E BC50
[signature.asc (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Domenico Andreoli <cavok@debian.org>:
Bug#342339; Package curl.
(full text, mbox, link).
Acknowledgement sent to "omnya Lambert" <omnyaLambert@adiplastics.com>:
Extra info received and forwarded to list. Copy sent to Domenico Andreoli <cavok@debian.org>.
(full text, mbox, link).
Message #27 received at 342339@bugs.debian.org (full text, mbox, reply):
Default port on which the RPCAP daemon is waiting for connections.
AN ALLE FINANZINVESTOREN!
DIESE AKTIE WIRD DURCHSTARTEN!
FREITAG 20. APRIL STARTET DIE HAUSSE!
REALISIERTER KURSGEWINN VON 400%+ IN 5 TAGEN!
Symbol: G7Q.F
Company: COUNTY LINE ENERGY
5 Tages Kursziel: 0.95
Schlusskurs: 0.21
WKN: A0J3B0
ISIN: US2224791077
Markt: Frankfurt
LASSEN SIE SICH DIESE CHANCE NICHT ENTGEHEN!
G7Q WIRD WIE EINE RAKETE DURCHSTARTEN!
UNSERE ERWARTUNGEN WIRD G7Q.F UBERTREFFEN!
Definition at line 39 of file rpcapd.
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 25 Jun 2007 07:24:37 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:32:05 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon