Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 125766
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Tavis Ormandy (RETIRED) <taviso@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
curl-7.15-libtftp.patch curl-7.15-libtftp.patch patch solar 2006-03-19 03:45 0000 651 bytes Details | Diff
curl-7.15.1-r1.ebuild curl-7.15.1-r1.ebuild text/plain solar 2006-03-19 03:46 0000 2.29 KB Details
curl-7.15.2-r1.ebuild curl-7.15.2-r1.ebuild text/plain solar 2006-03-19 03:47 0000 2.25 KB Details
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 125766 depends on: Show dependency tree
Bug 125766 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2006-03-10 15:09 0000 
A message received at security@gentoo.org

From: Ulf Harnhammar <metaur@operamail.com>
Date: Fri, 10 Mar 2006 16:32:13 +0100
Subject: cURL tftp:// URL Buffer Overflow

cURL tftp:// URL Buffer Overflow

There is a buffer overflow in cURL when it fetches a tftp:// URL
with a size of >66000 characters. The URL must start with "tftp://",
then a valid hostname, and then another slash.

The bug affects cURL versions 7.15.2, 7.15.1 and 7.15.0.
<snip more details>

Ulf provides the following patch:

--- curl-7.15.1_UNPATCHED/lib/tftp.c
+++ curl-7.15.1/lib/tftp.c
@@ -271,7 +271,7 @@
        /* If we are downloading, send an RRQ */
        state->spacket.event = htons(TFTP_EVENT_RRQ);
      }
-    sprintf((char *)state->spacket.u.request.data, "%s%c%s%c",
+    snprintf((char *)state->spacket.u.request.data, 512, "%s%c%s%c",
              filename, '\0',  mode, '\0');
      sbytes = 4 + (int)strlen(filename) + (int)strlen(mode);
      sbytes = sendto(state->sockfd, (void *)&state->spacket,

------- Comment #1 From Tavis Ormandy (RETIRED) 2006-03-10 15:13:43 0000 ------- 
liquidx: please attach an updated ebuild to this bug if nescessary - do not
commit anything to portage at this time, this bug is currently confidential.

------- Comment #2 From Thierry Carrez (RETIRED) 2006-03-12 03:43:22 0000 ------- 
Adjusting status

------- Comment #3 From Thierry Carrez (RETIRED) 2006-03-14 09:10:00 0000 ------- 
Embargo set to Monday 20th

------- Comment #4 From Stefan Cornelius (RETIRED) 2006-03-17 03:28:07 0000 ------- 
3 days till disclosure, still no ebuild

------- Comment #5 From solar 2006-03-19 03:45:44 0000 ------- 
Created an attachment (id=82532) [details]
curl-7.15-libtftp.patch

------- Comment #6 From solar 2006-03-19 03:46:35 0000 ------- 
Created an attachment (id=82533) [details]
curl-7.15.1-r1.ebuild

stable series

------- Comment #7 From solar 2006-03-19 03:47:17 0000 ------- 
Created an attachment (id=82534) [details]
curl-7.15.2-r1.ebuild

~unstable series

------- Comment #8 From Thierry Carrez (RETIRED) 2006-03-19 07:14:00 0000 ------- 
Adding arch security liaisons. curl-7.15.1-r1 could be committed direct to
stable on 2006/03/20 if you confirm it's stable on each of your arches.

------- Comment #9 From Markus Rothe 2006-03-19 07:31:56 0000 ------- 
tested on ppc64. it's ok to commit directly to stable.

------- Comment #10 From Mark Loeser 2006-03-19 10:22:00 0000 ------- 
x86 looks good to go

------- Comment #11 From René Nussbaumer 2006-03-19 12:27:47 0000 ------- 
Looks good on hppa

------- Comment #12 From Tobias Scherbaum 2006-03-19 13:00:07 0000 ------- 
Looks good on ppc.

------- Comment #13 From Danny van Dyk (RETIRED) 2006-03-19 13:27:47 0000 ------- 
I'm substituting blubb for this bug.
Both versions work on amd64. Tested with both curl's test-suite plus my
printer's
tftp server.

------- Comment #14 From solar 2006-03-20 01:06:17 0000 ------- 
This is public now (7.15.3 has been released) 
http://curl.haxx.se/docs/adv_20060320.html

------- Comment #15 From Gustavo Zacarias (RETIRED) 2006-03-20 05:30:27 0000 ------- 
Looks good for sparc, sorry for the delay but i'm usually off on weekends for
some much needed air & rest.

------- Comment #16 From Stefan Cornelius (RETIRED) 2006-03-20 06:31:08 0000 ------- 
The issue is now public, opening. I think solar will commit the ebuild soon,
alpha still needs to stable

------- Comment #17 From Stefan Cornelius (RETIRED) 2006-03-20 06:31:31 0000 ------- 
*** Bug 126942 has been marked as a duplicate of this bug. ***

------- Comment #18 From Fernando J. Pereda (RETIRED) 2006-03-20 06:39:32 0000 ------- 
The patch looks ok on Alpha too.

------- Comment #19 From solar 2006-03-20 07:00:47 0000 ------- 
Ok I'll commit the ebuild .15-r1 to stable on the arches that gave feedback.
No reason to keep the .2 so I'll pump a .3 in the tree for ~arch users.

------- Comment #20 From solar 2006-03-20 07:21:06 0000 ------- 
Everything is in the tree now. 

curl-7.15.1[0]: arm ia64 mips ~ppc-macos s390 sh
curl-7.15.1-r1[0]: alpha amd64 ~arm hppa ~ia64 ~mips ppc ~ppc-macos ppc64 ~s390
~sh sparc x86
curl-7.15.3[0]: (M) ~alpha ~amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc-macos ~ppc64
~s390 ~sh ~sparc ~x86

------- Comment #21 From Thierry Carrez (RETIRED) 2006-03-20 09:27:39 0000 ------- 
Ready for GLSA

------- Comment #22 From Matthias Geerdsen 2006-03-21 11:38:59 0000 ------- 
Could someone please clarify the following a little bit, so that we don't state
the wrong arches in the GLSA?

"libcurl 7.15.1 and 7.15.2 contain code that prevents this code from being
executed on architecures where a struct is not of the same assumed packed size
it has on x86, thus they are not vulnerable. For exact details on this, please
review the code and patch."
[from http://curl.haxx.se/docs/adv_20060320.html]

This appears to be the relevant part of the code I think:

/*
   * The TFTP code is not portable because it sends C structs directly over
   * the wire.  Since C gives compiler writers a wide latitude in padding and
   * aligning structs, this fails on many architectures (e.g. ARM).
   *
   * The only portable way to fix this is to copy each struct item into a
   * flat buffer and send the flat buffer instead of the struct.  The
   * alternative, trying to get the compiler to eliminate padding bytes
   * within the struct, is a nightmare to maintain (each compiler does it
   * differently), and is still not guaranteed to work because some
   * architectures can't handle the resulting alignment.
   *
   * This check can be removed once the code has been fixed.
   */
  if(sizeof(struct tftp_packet) != 516) {
    failf(conn->data, "tftp not supported on this architecture");
    return CURLE_FAILED_INIT;
  }

------- Comment #23 From Matthias Geerdsen 2006-03-21 12:53:26 0000 ------- 
GLSA 200603-19

thanks everyone

------- Comment #24 From Joshua Kinard 2006-04-23 10:58:36 0000 ------- 
Stable on mips.
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug