Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 114710 - net-misc/curl <=7.15.0 malformed URL string buffer overflow
Summary: net-misc/curl <=7.15.0 malformed URL string buffer overflow
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://www.hardened-php.net/advisory_...
Whiteboard: B2? [glsa]
Keywords:
: 114729 (view as bug list)
Depends on:
Blocks:
 
Reported: 2005-12-07 01:49 UTC by Chris White (RETIRED)
Modified: 2006-03-16 08:34 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Chris White (RETIRED) gentoo-dev 2005-12-07 01:49:50 UTC
Full Disclosure:

                       Hardened-PHP Project
                        www.hardened-php.net

                      -= Security  Advisory =-


     Advisory: libcurl URL Parsing Vulnerability
 Release Date: 2005/12/07
Last Modified: 2005/12/07
       Author: Stefan Esser [sesser@hardened-php.net]

  Application: Curl    <= 7.15.0
               libcurl <= 7.15.0
     Severity: When (lib)Curl tries to parse a certain kind of
               malformed URLs this leads to a heap overflow
         Risk: Low
Vendor Status: Vendor has released an updated version
   References: http://www.hardened-php.net/advisory_242005.109.html


Overview:

   libcurl is a free and easy-to-use client-side URL transfer library,
   supporting FTP, FTPS, TFTP, HTTP, HTTPS, GOPHER, TELNET, DICT, FILE
   and LDAP. libcurl supports HTTPS certificates, HTTP POST, HTTP PUT,
   FTP uploading, HTTP form based upload, proxies, cookies,
   user+password authentication (Basic, Digest, NTLM, Negotiate,
   Kerberos4), file transfer resume, http proxy tunneling and more!

   During a quick scan of the URL parsing code within libcurl, it was
   discovered, that certain malformed URLs trigger an off-by-one(two)
   bufferoverflow. This may lead to unintended arbitrary code execution.

   Because the attacker must be able to force curl to load such an URL,
   which is not possible through a HTTP redirect, the impact is low.
   However a local attacker might use this vulnerability to break out
   of safe_mode/open_basedir restrictions when PHP is compiled with
   libcurl support.
Comment 1 Sune Kloppenborg Jeppesen gentoo-dev 2005-12-07 01:54:47 UTC
Alastair please advise and patch as necessary. 
Comment 2 Stefan Cornelius (RETIRED) gentoo-dev 2005-12-07 04:09:58 UTC
*** Bug 114729 has been marked as a duplicate of this bug. ***
Comment 3 Andreas Korthaus 2005-12-07 05:08:02 UTC
advisory from author: http://curl.haxx.se/docs/adv_20051207.html
Comment 4 Daniel Black (RETIRED) gentoo-dev 2005-12-13 04:52:11 UTC
curl-7.15.1.ebuild added  
dev-python/pycurl-7.15.1 not added yet - no upstream version. 
  
please watch out for bug 100616 curl_off_t... configure: error: cannot compute  
sizeof (curl_off_t) 
  
and   
bug 111555 (self test errors - 253 and 255 failed for me but they failed in  
previous version too) 
Comment 5 Markus Rothe (RETIRED) gentoo-dev 2005-12-13 08:42:55 UTC
curl-7.15.1 stable on ppc64. waiting for dev-python/pycurl-7.15.1 to be fixed 
before removing from CC. 
Comment 6 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-12-13 11:09:45 UTC
ppc, hppa done
Comment 7 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-12-13 11:10:38 UTC
Forgot about pycurl
Comment 8 Fernando J. Pereda (RETIRED) gentoo-dev 2005-12-14 03:38:56 UTC
Did alpha for net-misc/curl, waiting for dev-python/pycurl to be fixed.

Cheers,
Ferdy
Comment 9 Gustavo Zacarias (RETIRED) gentoo-dev 2005-12-14 05:16:22 UTC
sparc stable.
i can assume we'll be recalled when pycurl is in, so CC removing us to avoid
noise (and maybe it'll even be on another bug!).
Comment 10 Thierry Carrez (RETIRED) gentoo-dev 2005-12-14 05:35:17 UTC
Yes, it will be another bug for pycurl. Opening it right now.
Comment 11 Thierry Carrez (RETIRED) gentoo-dev 2005-12-14 05:39:01 UTC
Removing stable arches, pycurl will be handled at bug 115524.
Comment 12 Daniel Gryniewicz (RETIRED) gentoo-dev 2005-12-14 09:50:03 UTC
amd64 done.
Comment 13 Joshua Jackson (RETIRED) gentoo-dev 2005-12-14 19:08:51 UTC
stable on x86
Comment 14 Thierry Carrez (RETIRED) gentoo-dev 2005-12-16 12:16:32 UTC
GLSA 200512-09
arm ia64 mips s390 should probably mark stable to benefit from GLSA
Comment 15 Joshua Kinard gentoo-dev 2006-02-25 23:27:43 UTC
mips stable.
Comment 16 Stefan Tittel 2006-03-16 08:20:43 UTC
What about other packages which ship with their own version of libcurl?

According to http://www.heise.de/newsticker/meldung/70926 (sorry, German only) the official OpenOffice 2.01 builds are vulnerable, which affects app-office/openoffice-bin-2.01.

Furthermore also app-text/acroread-7.0.1.1 ships with an old version of libcurl and might be affected as well.
Comment 17 Stefan Cornelius (RETIRED) gentoo-dev 2006-03-16 08:34:40 UTC
There is a new bug for OpenOffice 2.0.2 (bug #126433). Not sure about Acrobat Reader atm, but the latest stable version in portage is 7.0.5-r2 and i currently cant find any info that this version is vulnerable.