Bug 137785

Summary: VUL-0: curl: URL parsing code within libcurl is vulnerable to off-by-one buffer overflow
Product: [openSUSE] SUSE Linux 10.1 Reporter: Thomas Biege <thomas>
Component: OtherAssignee: Michal Marek <mmarek>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None CC: patch-request, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: CVE-2005-4077: CVSS v2 Base Score: 4.6 (AV:L/AC:L/Au:N/C:P/I:P/A:P)
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Thomas Biege 2005-12-09 13:08:07 UTC 
Hi,
please have a look at this advisory.

http://www.hardened-php.net/advisory_242005.109.html

CVE-2005-4077
Multiple off-by-one errors in libcurl 7.11.2 through 7.15.0 and earlier allow local users to trigger a buffer overflow and cause a denial of service or bypass PHP security restrictions via certain URLs that (1) are malformed in a way that prevents a terminating null byte from being added to either a hostname or path buffer, or (2) contain a "?" separator in the hostname portion, which causes a "/" to be prepended to the resulting string
Comment 1 Thomas Biege 2005-12-09 13:15:24 UTC 
Maintenance-Tracker-3191
Comment 2 Thomas Biege 2005-12-09 13:15:43 UTC 
is compat-curl2 also affected?
Comment 3 Thomas Biege 2005-12-09 13:20:30 UTC 
   6 remote non-root user
  +0 human user
  +1 default package
  +1 default active
  -1 user interaction
  -1 DoS

Total Score: 6 (Moderate)
Comment 4 Michal Marek 2005-12-12 11:22:30 UTC 
I submitted fixes for 9.2, 9.3 and 10.0. curl <= 7.11.1 (8.1, 9.0, 9.1 and
compat-curl2) isn't affected. I'll update stable to 7.15.1 soon.
Comment 5 Thomas Biege 2005-12-12 11:51:58 UTC 
Thanks a lot.

/work/src/done/PATCHINFO/curl.patch.box
Comment 6 Thomas Biege 2006-01-04 09:13:22 UTC 
packages approved
Comment 7 Marcus Meissner 2006-03-21 15:44:59 UTC 
The CVE entry is wrong I think.

7.11.0 can be tricked into the 2 byte overflow (\0 and 1 other)
7.9.8 can be tricked into the 1 byte (\0) overflow.
Comment 8 Marcus Meissner 2006-03-21 16:02:59 UTC 
hmm. still trying to find out
Comment 9 Marcus Meissner 2006-03-21 16:25:43 UTC 
I was mistaken.
Comment 10 Thomas Biege 2009-10-13 20:43:20 UTC 
CVE-2005-4077: CVSS v2 Base Score: 4.6 (AV:L/AC:L/Au:N/C:P/I:P/A:P)