Bug 1228260 (CVE-2024-6874)

Summary: VUL-0: CVE-2024-6874: curl: macidn punycode buffer overread
Product: [Novell Products] SUSE Security Incidents Reporter: Gianluca Gabrielli <gianluca.gabrielli>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: IN_PROGRESS --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: pmonrealgonzalez
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Gianluca Gabrielli 2024-07-24 07:00:04 UTC 
libcurl's URL API function curl_url_get() offers punycode conversions, to and from IDN. Asking to convert a name that is exactly 256 bytes, libcurl ends up reading outside of a stack based buffer when built to use the macidn IDN backend. The conversion function then fills up the provided buffer exactly - but does not null terminate the string.

This flaw can lead to stack contents accidently getting returned as part of the converted string.

References
https://curl.se/docs/CVE-2024-6874.html
https://github.com/curl/curl/commit/add22feeef07858307be57 (offending)
https://github.com/curl/curl/commit/686d54baf1df6e0775 (fix)
Comment 1 Gianluca Gabrielli 2024-07-24 07:04:15 UTC 
The only affected package is openSUSE:Factory/curl. Please bump it to v8.9.0 [0].

[0] https://curl.se/docs/vuln-8.9.0.html
Comment 2 Pedro Monreal Gonzalez 2024-07-24 08:43:10 UTC 
Factory update to curl 8.9.0:
   * https://build.opensuse.org/request/show/1189336