Bug 157874

Summary: overflow in curl
Product: [openSUSE] SUSE Linux 10.1 Reporter: Sebastian Krahmer <krahmer>
Component: NetworkAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None CC: mmarek, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: CVE-2006-1061: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Sebastian Krahmer 2006-03-14 09:05:53 UTC 
From: "Ulf Harnhammar" <metaur@operamail.com>
To: curl-security@haxx.se
Subject: cURL tftp:// URL Buffer Overflow
Date: Fri, 10 Mar 2006 16:32:13 +0100


cURL tftp:// URL Buffer Overflow

There is a buffer overflow in cURL when it fetches a tftp:// URL
with a size of >66000 characters. The URL must start with "tftp://",
then a valid hostname, and then another slash.

The bug affects cURL versions 7.15.2, 7.15.1 and 7.15.0.

Successful exploitation of this vulnerability allows attackers to
execute code within the context of cURL. There are many programs
that allow remote users to access cURL, for instance through its
PHP bindings that let a PHP web developer write a web application
that uses cURL on the web server to access a remote resource on the
Internet. In such a case, if the web application does not check
for very long URLs, any user of the web application may submit a
URL that will be passed to cURL, causing a buffer overflow in it.

If cURL is configured to follow HTTP redirects, for example by using
its -L command line option, any web resource can redirect to a tftp://
URL that causes this overflow.

If cURL is compiled with "./configure --disable-tftp && make",
the whole TFTP support in the program is disabled. This secures it
effectively against this vulnerability, but some users may wish
to use the program's TFTP capabilities, making it an undesirable
workaround for them.

I have attached an unofficial patch and a PHP script that exhibits
redirecting from a web resource to a dangerous tftp:// URL.

I hope that we can coordinate our respective cURL updates to solve
this issue in a proper manner.

// Ulf Harnhammar, Swedish Security Audit Group



--- curl-7.15.1_UNPATCHED/lib/tftp.c
+++ curl-7.15.1/lib/tftp.c
@@ -271,7 +271,7 @@
         /* If we are downloading, send an RRQ */
         state->spacket.event = htons(TFTP_EVENT_RRQ);
       }
-    sprintf((char *)state->spacket.u.request.data, "%s%c%s%c",
+    snprintf((char *)state->spacket.u.request.data, 512, "%s%c%s%c",
               filename, '\0',  mode, '\0');
       sbytes = 4 + (int)strlen(filename) + (int)strlen(mode);
       sbytes = sendto(state->sockfd, (void *)&state->spacket,



<?php

header('Location: tftp://localhost/' . str_repeat('U', 197000));

?>
Comment 1 Sebastian Krahmer 2006-03-14 09:06:52 UTC 
Date: Mon, 13 Mar 2006 13:35:51 -0500
From: Josh Bressers <bressers@redhat.com>
To: Ulf Harnhammar <metaur@operamail.com>
Cc: vendor-sec@lst.de, daniel@haxx.se, security@gentoo.org,
    naddy@mips.inka.de
Subject: Re: [vendor-sec] cURL tftp:// URL Buffer Overflow

> Hello,
> 
> can we have a CAN/CVE id for this issue, please?
> 
> We are considering releasing this information on Saturday this week. Is there
anyone on the list that distributes
>  a vulnerable version of cURL who finds that date inconvenient?

Ulf, thanks for the heads up.  Saturday (2006-03-18) is probably a bad day
for most of us.  Can we move it to sometime during the next week
(2006-03-20 to 2006-03-24)?

Use CVE-2006-1061 for this issue.

Thanks.

-- 
    JB
Comment 2 Michal Marek 2006-03-14 10:16:21 UTC 
There's no TFTP support in curl <= 7.14.0, so this does only affect STABLE.
Comment 3 Sebastian Krahmer 2006-03-14 10:47:51 UTC 
Even better. So you only need to fix STABLE and we do not
need updates if the fix in STABLE makes it in 10.1
Comment 4 Sebastian Krahmer 2006-03-14 11:21:26 UTC 
Date: Tue, 14 Mar 2006 12:16:23 +0100
From: Ulf Harnhammar <metaur@operamail.com>
To: Josh Bressers <bressers@redhat.com>
Cc: vendor-sec@lst.de, daniel@haxx.se, security@gentoo.org,
    naddy@mips.inka.de
Subject: Re: [vendor-sec] cURL tftp:// URL Buffer Overflow

> Ulf, thanks for the heads up.  Saturday (2006-03-18) is probably a bad day
> for most of us.  Can we move it to sometime during the next week
> (2006-03-20 to 2006-03-24)?

OK, let's say Monday the 20th of March, then.

> Use CVE-2006-1061 for this issue.

Thanks!

// Ulf
Comment 5 Ludwig Nussel 2006-03-14 11:24:44 UTC 
please mention the CRD in your checkin mail so the autobuild team doesn't check it in before the CRD.
Comment 6 Michal Marek 2006-03-14 11:26:52 UTC 
This means I can submit it now? Ok then.
Comment 7 Michal Marek 2006-03-14 11:40:19 UTC 
done
Comment 8 Marcus Meissner 2006-03-21 15:16:49 UTC 
was checked in -> fixed
Comment 9 Thomas Biege 2009-10-13 23:01:55 UTC 
CVE-2006-1061: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)