Bug 1228260 (CVE-2024-6874) - VUL-0: CVE-2024-6874: curl: macidn punycode buffer overread
Summary: VUL-0: CVE-2024-6874: curl: macidn punycode buffer overread
Status: IN_PROGRESS
Alias: CVE-2024-6874
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-07-24 07:00 UTC by Gianluca Gabrielli
Modified: 2024-07-24 08:43 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Gianluca Gabrielli 2024-07-24 07:00:04 UTC 
libcurl's URL API function curl_url_get() offers punycode conversions, to and from IDN. Asking to convert a name that is exactly 256 bytes, libcurl ends up reading outside of a stack based buffer when built to use the macidn IDN backend. The conversion function then fills up the provided buffer exactly - but does not null terminate the string.

This flaw can lead to stack contents accidently getting returned as part of the converted string.

References
https://curl.se/docs/CVE-2024-6874.html
https://github.com/curl/curl/commit/add22feeef07858307be57 (offending)
https://github.com/curl/curl/commit/686d54baf1df6e0775 (fix)
Comment 1 Gianluca Gabrielli 2024-07-24 07:04:15 UTC 
The only affected package is openSUSE:Factory/curl. Please bump it to v8.9.0 [0].

[0] https://curl.se/docs/vuln-8.9.0.html
Comment 2 Pedro Monreal Gonzalez 2024-07-24 08:43:10 UTC 
Factory update to curl 8.9.0:
   * https://build.opensuse.org/request/show/1189336