[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] [SECURITY ADVISORY] curl: Integer overflows in curl_url_set
From:       Daniel Stenberg <daniel () haxx ! se>
Date:       2019-05-22 7:23:51
Message-ID: alpine.DEB.2.20.1905201533020.21193 () tvnag ! unkk ! fr
[Download RAW message or body]

Integer overflows in `curl_url_set()`
=====================================

Project curl Security Advisory, May 22nd 2019 -
[Permalink](https://curl.haxx.se/docs/CVE-2019-5435.html)

VULNERABILITY
-------------

libcurl contains two integer overflows in the `curl_url_set()` function that
if triggered, can lead to a too small buffer allocation and a subsequent heap
buffer overflow.

The flaws only exist on 32 bit architectures and require excessive string
input lengths.

We are not aware of any exploit of this flaw.

INFO
----

There are two entry points to this issue, on 32 bit architectures.

By asking libcurl to parse a string, passing in a string longer than 2GB to
this API: `curl_url_set(uh, CURLUPART_URL, "string", 0);` triggers the bug.

Asking libcurl to update a URL with a new string, and URL encoded it in the
process, by passing in a string longer than 1.33GB to this API:
`curl_url_set(uh, CURLUPART_*, "string", CURLU_URLENCODE);` triggers the bug.

This bug was introduced in August 2018 in
[commit fb30ac5a2d](https://github.com/curl/curl/commit/fb30ac5a2d63773c52).

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2019-5435 to this issue.

CWE-131: Incorrect Calculation of Buffer Size

Severity: 3.7 (Low)

AFFECTED VERSIONS
-----------------

- Affected versions: libcurl 7.62.0 to and including 7.64.1
- Not affected versions: libcurl < 7.62.0 and >= libcurl 7.65.0

libcurl is used by many applications, but not always advertised as such.

THE SOLUTION
------------

A [fix for CVE-2019-5435](https://github.com/curl/curl/commit/5fc28510a4664f4) is already merged.

RECOMMENDATIONS
--------------

We suggest you take one of the following actions immediately, in order of
preference:

  A - Upgrade curl to version 7.65.0

  B - Apply the patch to your version and rebuild

TIMELINE
--------

The issue was reported to the curl project on April 24, 2019. The patch was
communicated to the reporter on April 25, 2019. We contacted distros@openwall
on May 15.

curl 7.65.0 was released on May 22 2019, coordinated with the publication of
this advisory.

CREDITS
-------

Reported by Wenchao Li. Patch by Daniel Stenberg

Thanks a lot!

-- 

  / daniel.haxx.se | Get the best commercial curl support there is - from me
                   | Private help, bug fixes, support, ports, new features
                   | https://www.wolfssl.com/contact/
[prev in list] [next in list] [prev in thread] [next in thread]