-= Security Advisory =-
Advisory: libcurl URL Parsing Vulnerability
Release Date: 2005/12/07
Last Modified: 2005/12/07
Author: Stefan Esser [firstname.lastname@example.org]
Application: Curl <= 7.15.0
libcurl <= 7.15.0
Severity: When (lib)Curl tries to parse a certain kind of
malformed URLs this leads to a heap overflow
Vendor Status: Vendor has released an updated version
libcurl is a free and easy-to-use client-side URL transfer library,
supporting FTP, FTPS, TFTP, HTTP, HTTPS, GOPHER, TELNET, DICT, FILE
and LDAP. libcurl supports HTTPS certificates, HTTP POST, HTTP PUT,
FTP uploading, HTTP form based upload, proxies, cookies,
user+password authentication (Basic, Digest, NTLM, Negotiate,
Kerberos4), file transfer resume, http proxy tunneling and more!
During a quick scan of the URL parsing code within libcurl, it was
discovered, that certain malformed URLs trigger an off-by-one(two)
bufferoverflow. This may lead to unintended arbitrary code execution.
Because the attacker must be able to force curl to load such an URL,
which is not possible through a HTTP redirect, the impact is low.
However a local attacker might use this vulnerability to break out
of safe_mode/open_basedir restrictions when PHP is compiled with
Alastair please advise and patch as necessary.
*** Bug 114729 has been marked as a duplicate of this bug. ***
advisory from author: http://curl.haxx.se/docs/adv_20051207.html
dev-python/pycurl-7.15.1 not added yet - no upstream version.
please watch out for bug 100616 curl_off_t... configure: error: cannot compute
bug 111555 (self test errors - 253 and 255 failed for me but they failed in
previous version too)
curl-7.15.1 stable on ppc64. waiting for dev-python/pycurl-7.15.1 to be fixed
before removing from CC.
ppc, hppa done
Forgot about pycurl
Did alpha for net-misc/curl, waiting for dev-python/pycurl to be fixed.
i can assume we'll be recalled when pycurl is in, so CC removing us to avoid
noise (and maybe it'll even be on another bug!).
Yes, it will be another bug for pycurl. Opening it right now.
Removing stable arches, pycurl will be handled at bug 115524.
stable on x86
arm ia64 mips s390 should probably mark stable to benefit from GLSA
What about other packages which ship with their own version of libcurl?
According to http://www.heise.de/newsticker/meldung/70926 (sorry, German only) the official OpenOffice 2.01 builds are vulnerable, which affects app-office/openoffice-bin-2.01.
Furthermore also app-text/acroread-126.96.36.199 ships with an old version of libcurl and might be affected as well.
There is a new bug for OpenOffice 2.0.2 (bug #126433). Not sure about Acrobat Reader atm, but the latest stable version in portage is 7.0.5-r2 and i currently cant find any info that this version is vulnerable.