Bugzilla – Bug 1204384
VUL-0: CVE-2022-35260: curl: .netrc parser out-of-bounds access
Last modified: 2022-10-26 09:53:19 UTC
Public via oss-security:
CVE-2022-35260: .netrc parser out-of-bounds access
Project curl Security Advisory, October 26 2022 -
curl can be told to parse a `.netrc` file for credentials. If that file ends
in a line with consecutive non-white space letters and no newline, curl could
read past the end of the stack-based buffer, and if the read works, write a
zero byte possibly beyond its boundary.
This will in most cases cause a segfault or similar, but circumstances might
also cause different outcomes.
If a malicious user can provide a custom netrc file to an application or
otherwise affect its contents, this flaw could be used as denial-of-service.
We are not aware of any exploit of this flaw.
The flaw was introduced in curl with [this
commit](https://github.com/curl/curl/commit/eeaae10c0fb27aa06), first shipped
in curl 7.84.0.
The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2022-35260 to this issue.
CWE-121: Stack-based Buffer Overflow
- Affected versions: curl 7.84.0 to and including 7.85.0
- Not affected versions: curl < 7.84.0 and >= 7.86.0
libcurl is used by many applications, but not always advertised as such!
[The fix for CVE-2022-35260](https://github.com/curl/curl/commit/c97ec984fb2bc919a3aa86)
A - Upgrade curl to version 7.86.0
B - Apply the patch to your local version
C - Do not use `.netrc` files
This issue was reported to the curl project on October 3, 2022. We contacted
distros@openwall on October 18, 2022.
libcurl 7.86.0 was released on October 26 2022, coordinated with the
publication of this advisory.
- Reported-by: Hiroki Kurosawa
- Patched-by: Daniel Stenberg
Thanks a lot!
All done here, closing.