Full Disclosure: Hardened-PHP Project www.hardened-php.net -= Security Advisory =- Advisory: libcurl URL Parsing Vulnerability Release Date: 2005/12/07 Last Modified: 2005/12/07 Author: Stefan Esser [sesser@hardened-php.net] Application: Curl <= 7.15.0 libcurl <= 7.15.0 Severity: When (lib)Curl tries to parse a certain kind of malformed URLs this leads to a heap overflow Risk: Low Vendor Status: Vendor has released an updated version References: http://www.hardened-php.net/advisory_242005.109.html Overview: libcurl is a free and easy-to-use client-side URL transfer library, supporting FTP, FTPS, TFTP, HTTP, HTTPS, GOPHER, TELNET, DICT, FILE and LDAP. libcurl supports HTTPS certificates, HTTP POST, HTTP PUT, FTP uploading, HTTP form based upload, proxies, cookies, user+password authentication (Basic, Digest, NTLM, Negotiate, Kerberos4), file transfer resume, http proxy tunneling and more! During a quick scan of the URL parsing code within libcurl, it was discovered, that certain malformed URLs trigger an off-by-one(two) bufferoverflow. This may lead to unintended arbitrary code execution. Because the attacker must be able to force curl to load such an URL, which is not possible through a HTTP redirect, the impact is low. However a local attacker might use this vulnerability to break out of safe_mode/open_basedir restrictions when PHP is compiled with libcurl support.
Alastair please advise and patch as necessary.
*** Bug 114729 has been marked as a duplicate of this bug. ***
advisory from author: http://curl.haxx.se/docs/adv_20051207.html
curl-7.15.1.ebuild added dev-python/pycurl-7.15.1 not added yet - no upstream version. please watch out for bug 100616 curl_off_t... configure: error: cannot compute sizeof (curl_off_t) and bug 111555 (self test errors - 253 and 255 failed for me but they failed in previous version too)
curl-7.15.1 stable on ppc64. waiting for dev-python/pycurl-7.15.1 to be fixed before removing from CC.
ppc, hppa done
Forgot about pycurl
Did alpha for net-misc/curl, waiting for dev-python/pycurl to be fixed. Cheers, Ferdy
sparc stable. i can assume we'll be recalled when pycurl is in, so CC removing us to avoid noise (and maybe it'll even be on another bug!).
Yes, it will be another bug for pycurl. Opening it right now.
Removing stable arches, pycurl will be handled at bug 115524.
amd64 done.
stable on x86
GLSA 200512-09 arm ia64 mips s390 should probably mark stable to benefit from GLSA
mips stable.
What about other packages which ship with their own version of libcurl? According to http://www.heise.de/newsticker/meldung/70926 (sorry, German only) the official OpenOffice 2.01 builds are vulnerable, which affects app-office/openoffice-bin-2.01. Furthermore also app-text/acroread-7.0.1.1 ships with an old version of libcurl and might be affected as well.
There is a new bug for OpenOffice 2.0.2 (bug #126433). Not sure about Acrobat Reader atm, but the latest stable version in portage is 7.0.5-r2 and i currently cant find any info that this version is vulnerable.
