First Last Prev Next    This bug is not in your last search results.
Bug 1204384 - (CVE-2022-35260) VUL-0: CVE-2022-35260: curl: .netrc parser out-of-bounds access
(CVE-2022-35260)
VUL-0: CVE-2022-35260: curl: .netrc parser out-of-bounds access
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/345346/
CVSSv3.1:SUSE:CVE-2022-35260:5.0:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-10-17 11:59 UTC by Gabriele Sonnu
Modified: 2022-10-26 09:53 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Comment 6 Gabriele Sonnu 2022-10-26 07:37:26 UTC 
Public via oss-security:

CVE-2022-35260: .netrc parser out-of-bounds access
==================================================

Project curl Security Advisory, October 26 2022 -
[Permalink](https://curl.se/docs/CVE-2022-35260.html)

VULNERABILITY
-------------

curl can be told to parse a `.netrc` file for credentials. If that file ends
in a line with consecutive non-white space letters and no newline, curl could
read past the end of the stack-based buffer, and if the read works, write a
zero byte possibly beyond its boundary.

This will in most cases cause a segfault or similar, but circumstances might
also cause different outcomes.

If a malicious user can provide a custom netrc file to an application or
otherwise affect its contents, this flaw could be used as denial-of-service.

We are not aware of any exploit of this flaw.

INFO
----

The flaw was introduced in curl with [this
commit](https://github.com/curl/curl/commit/eeaae10c0fb27aa06), first shipped
in curl 7.84.0.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2022-35260 to this issue.

CWE-121: Stack-based Buffer Overflow

Severity: low

AFFECTED VERSIONS
-----------------

- Affected versions: curl 7.84.0 to and including 7.85.0
- Not affected versions: curl < 7.84.0 and >= 7.86.0

libcurl is used by many applications, but not always advertised as such!

THE SOLUTION
------------

[The fix for CVE-2022-35260](https://github.com/curl/curl/commit/c97ec984fb2bc919a3aa86)

RECOMMENDATIONS
---------------

 A - Upgrade curl to version 7.86.0

 B - Apply the patch to your local version

 C - Do not use `.netrc` files

TIMELINE
--------

This issue was reported to the curl project on October 3, 2022. We contacted
distros@openwall on October 18, 2022.

libcurl 7.86.0 was released on October 26 2022, coordinated with the
publication of this advisory.

CREDITS
-------

- Reported-by: Hiroki Kurosawa
- Patched-by: Daniel Stenberg

Thanks a lot!
Comment 7 Pedro Monreal Gonzalez 2022-10-26 09:51:28 UTC 
Factory submission:
   * https://build.opensuse.org/request/show/1031305
Comment 8 Gabriele Sonnu 2022-10-26 09:53:19 UTC 
All done here, closing.
First Last Prev Next    This bug is not in your last search results.