Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 114710 - net-misc/curl <=7.15.0 malformed URL string buffer overflow
Summary: net-misc/curl <=7.15.0 malformed URL string buffer overflow
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B2? [glsa]
: 114729 (view as bug list)
Depends on:
Reported: 2005-12-07 01:49 UTC by Chris White (RETIRED)
Modified: 2006-03-16 08:34 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Chris White (RETIRED) gentoo-dev 2005-12-07 01:49:50 UTC
Full Disclosure:

                       Hardened-PHP Project

                      -= Security  Advisory =-

     Advisory: libcurl URL Parsing Vulnerability
 Release Date: 2005/12/07
Last Modified: 2005/12/07
       Author: Stefan Esser []

  Application: Curl    <= 7.15.0
               libcurl <= 7.15.0
     Severity: When (lib)Curl tries to parse a certain kind of
               malformed URLs this leads to a heap overflow
         Risk: Low
Vendor Status: Vendor has released an updated version


   libcurl is a free and easy-to-use client-side URL transfer library,
   and LDAP. libcurl supports HTTPS certificates, HTTP POST, HTTP PUT,
   FTP uploading, HTTP form based upload, proxies, cookies,
   user+password authentication (Basic, Digest, NTLM, Negotiate,
   Kerberos4), file transfer resume, http proxy tunneling and more!

   During a quick scan of the URL parsing code within libcurl, it was
   discovered, that certain malformed URLs trigger an off-by-one(two)
   bufferoverflow. This may lead to unintended arbitrary code execution.

   Because the attacker must be able to force curl to load such an URL,
   which is not possible through a HTTP redirect, the impact is low.
   However a local attacker might use this vulnerability to break out
   of safe_mode/open_basedir restrictions when PHP is compiled with
   libcurl support.
Comment 1 Sune Kloppenborg Jeppesen gentoo-dev 2005-12-07 01:54:47 UTC
Alastair please advise and patch as necessary. 
Comment 2 Stefan Cornelius (RETIRED) gentoo-dev 2005-12-07 04:09:58 UTC
*** Bug 114729 has been marked as a duplicate of this bug. ***
Comment 3 Andreas Korthaus 2005-12-07 05:08:02 UTC
advisory from author:
Comment 4 Daniel Black (RETIRED) gentoo-dev 2005-12-13 04:52:11 UTC
curl-7.15.1.ebuild added  
dev-python/pycurl-7.15.1 not added yet - no upstream version. 
please watch out for bug 100616 curl_off_t... configure: error: cannot compute  
sizeof (curl_off_t) 
bug 111555 (self test errors - 253 and 255 failed for me but they failed in  
previous version too) 
Comment 5 Markus Rothe (RETIRED) gentoo-dev 2005-12-13 08:42:55 UTC
curl-7.15.1 stable on ppc64. waiting for dev-python/pycurl-7.15.1 to be fixed 
before removing from CC. 
Comment 6 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-12-13 11:09:45 UTC
ppc, hppa done
Comment 7 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-12-13 11:10:38 UTC
Forgot about pycurl
Comment 8 Fernando J. Pereda (RETIRED) gentoo-dev 2005-12-14 03:38:56 UTC
Did alpha for net-misc/curl, waiting for dev-python/pycurl to be fixed.

Comment 9 Gustavo Zacarias (RETIRED) gentoo-dev 2005-12-14 05:16:22 UTC
sparc stable.
i can assume we'll be recalled when pycurl is in, so CC removing us to avoid
noise (and maybe it'll even be on another bug!).
Comment 10 Thierry Carrez (RETIRED) gentoo-dev 2005-12-14 05:35:17 UTC
Yes, it will be another bug for pycurl. Opening it right now.
Comment 11 Thierry Carrez (RETIRED) gentoo-dev 2005-12-14 05:39:01 UTC
Removing stable arches, pycurl will be handled at bug 115524.
Comment 12 Daniel Gryniewicz (RETIRED) gentoo-dev 2005-12-14 09:50:03 UTC
amd64 done.
Comment 13 Joshua Jackson (RETIRED) gentoo-dev 2005-12-14 19:08:51 UTC
stable on x86
Comment 14 Thierry Carrez (RETIRED) gentoo-dev 2005-12-16 12:16:32 UTC
GLSA 200512-09
arm ia64 mips s390 should probably mark stable to benefit from GLSA
Comment 15 Joshua Kinard gentoo-dev 2006-02-25 23:27:43 UTC
mips stable.
Comment 16 Stefan Tittel 2006-03-16 08:20:43 UTC
What about other packages which ship with their own version of libcurl?

According to (sorry, German only) the official OpenOffice 2.01 builds are vulnerable, which affects app-office/openoffice-bin-2.01.

Furthermore also app-text/acroread- ships with an old version of libcurl and might be affected as well.
Comment 17 Stefan Cornelius (RETIRED) gentoo-dev 2006-03-16 08:34:40 UTC
There is a new bug for OpenOffice 2.0.2 (bug #126433). Not sure about Acrobat Reader atm, but the latest stable version in portage is 7.0.5-r2 and i currently cant find any info that this version is vulnerable.