Bugzilla – Bug 137785
VUL-0: curl: URL parsing code within libcurl is vulnerable to off-by-one buffer overflow
Last modified: 2009-10-13 20:43:20 UTC
Hi, please have a look at this advisory. http://www.hardened-php.net/advisory_242005.109.html CVE-2005-4077 Multiple off-by-one errors in libcurl 7.11.2 through 7.15.0 and earlier allow local users to trigger a buffer overflow and cause a denial of service or bypass PHP security restrictions via certain URLs that (1) are malformed in a way that prevents a terminating null byte from being added to either a hostname or path buffer, or (2) contain a "?" separator in the hostname portion, which causes a "/" to be prepended to the resulting string
Maintenance-Tracker-3191
is compat-curl2 also affected?
6 remote non-root user +0 human user +1 default package +1 default active -1 user interaction -1 DoS Total Score: 6 (Moderate)
I submitted fixes for 9.2, 9.3 and 10.0. curl <= 7.11.1 (8.1, 9.0, 9.1 and compat-curl2) isn't affected. I'll update stable to 7.15.1 soon.
Thanks a lot. /work/src/done/PATCHINFO/curl.patch.box
packages approved
The CVE entry is wrong I think. 7.11.0 can be tricked into the 2 byte overflow (\0 and 1 other) 7.9.8 can be tricked into the 1 byte (\0) overflow.
hmm. still trying to find out
I was mistaken.
CVE-2005-4077: CVSS v2 Base Score: 4.6 (AV:L/AC:L/Au:N/C:P/I:P/A:P)