Bugzilla – Bug 157874
overflow in curl
Last modified: 2009-10-13 23:01:55 UTC
From: "Ulf Harnhammar" <metaur@operamail.com> To: curl-security@haxx.se Subject: cURL tftp:// URL Buffer Overflow Date: Fri, 10 Mar 2006 16:32:13 +0100 cURL tftp:// URL Buffer Overflow There is a buffer overflow in cURL when it fetches a tftp:// URL with a size of >66000 characters. The URL must start with "tftp://", then a valid hostname, and then another slash. The bug affects cURL versions 7.15.2, 7.15.1 and 7.15.0. Successful exploitation of this vulnerability allows attackers to execute code within the context of cURL. There are many programs that allow remote users to access cURL, for instance through its PHP bindings that let a PHP web developer write a web application that uses cURL on the web server to access a remote resource on the Internet. In such a case, if the web application does not check for very long URLs, any user of the web application may submit a URL that will be passed to cURL, causing a buffer overflow in it. If cURL is configured to follow HTTP redirects, for example by using its -L command line option, any web resource can redirect to a tftp:// URL that causes this overflow. If cURL is compiled with "./configure --disable-tftp && make", the whole TFTP support in the program is disabled. This secures it effectively against this vulnerability, but some users may wish to use the program's TFTP capabilities, making it an undesirable workaround for them. I have attached an unofficial patch and a PHP script that exhibits redirecting from a web resource to a dangerous tftp:// URL. I hope that we can coordinate our respective cURL updates to solve this issue in a proper manner. // Ulf Harnhammar, Swedish Security Audit Group --- curl-7.15.1_UNPATCHED/lib/tftp.c +++ curl-7.15.1/lib/tftp.c @@ -271,7 +271,7 @@ /* If we are downloading, send an RRQ */ state->spacket.event = htons(TFTP_EVENT_RRQ); } - sprintf((char *)state->spacket.u.request.data, "%s%c%s%c", + snprintf((char *)state->spacket.u.request.data, 512, "%s%c%s%c", filename, '\0', mode, '\0'); sbytes = 4 + (int)strlen(filename) + (int)strlen(mode); sbytes = sendto(state->sockfd, (void *)&state->spacket, <?php header('Location: tftp://localhost/' . str_repeat('U', 197000)); ?>
Date: Mon, 13 Mar 2006 13:35:51 -0500 From: Josh Bressers <bressers@redhat.com> To: Ulf Harnhammar <metaur@operamail.com> Cc: vendor-sec@lst.de, daniel@haxx.se, security@gentoo.org, naddy@mips.inka.de Subject: Re: [vendor-sec] cURL tftp:// URL Buffer Overflow > Hello, > > can we have a CAN/CVE id for this issue, please? > > We are considering releasing this information on Saturday this week. Is there anyone on the list that distributes > a vulnerable version of cURL who finds that date inconvenient? Ulf, thanks for the heads up. Saturday (2006-03-18) is probably a bad day for most of us. Can we move it to sometime during the next week (2006-03-20 to 2006-03-24)? Use CVE-2006-1061 for this issue. Thanks. -- JB
There's no TFTP support in curl <= 7.14.0, so this does only affect STABLE.
Even better. So you only need to fix STABLE and we do not need updates if the fix in STABLE makes it in 10.1
Date: Tue, 14 Mar 2006 12:16:23 +0100 From: Ulf Harnhammar <metaur@operamail.com> To: Josh Bressers <bressers@redhat.com> Cc: vendor-sec@lst.de, daniel@haxx.se, security@gentoo.org, naddy@mips.inka.de Subject: Re: [vendor-sec] cURL tftp:// URL Buffer Overflow > Ulf, thanks for the heads up. Saturday (2006-03-18) is probably a bad day > for most of us. Can we move it to sometime during the next week > (2006-03-20 to 2006-03-24)? OK, let's say Monday the 20th of March, then. > Use CVE-2006-1061 for this issue. Thanks! // Ulf
please mention the CRD in your checkin mail so the autobuild team doesn't check it in before the CRD.
This means I can submit it now? Ok then.
done
was checked in -> fixed
CVE-2006-1061: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)