Bugzilla – Bug 824517
VUL-0: curl: CVE-2013-2174: libcurl URL decode buffer boundary flaw
Last modified: 2017-06-16 12:04:38 UTC
bugbot adjusting priority
Now public via: http://curl.haxx.se/docs/adv_20130622.html libcurl URL decode buffer boundary flaw ======================================= Project cURL Security Advisory, June 22nd 2013 http://curl.haxx.se/docs/security.html 1. VULNERABILITY libcurl is vulnerable to a case of bad checking of the input data which may lead to heap corruption. The function curl_easy_unescape() decodes URL encoded strings to raw binary data. URL encoded octets are represented with %HH combinations where HH is a two-digit hexadecimal number. The decoded string is written to an allocated memory area that the function returns to the caller. The function takes a source string and a length parameter, and if the length provided is 0 the function will instead use strlen() to figure out how much data to parse. The "%HH" parser wrongly only considered the case where a zero byte would terminate the input. If a length-limited buffer was passed in which ended with a '%' character which was followed by two hexadecimal digits outside of the buffer libcurl was allowed to parse alas without a terminating zero, libcurl would still parse that sequence as well. The counter for remaining data to handle would then be decreased too much and wrap to become a very large integer and the copying would go on too long and the destination buffer that is allocated on the heap would get overwritten. We consider it unlikely that programs allow user-provided strings unfiltered into this function. Also, only the not zero-terminated input string use case is affected by this flaw. Exploiting this flaw for gain is probably possible for specific circumstances but we consider the general risk for this to be low. The curl command line tool is not affected by this problem as it doesn't use this function. There are no known exploits available at this time. The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2013-2174 to this issue. 2. AFFECTED VERSIONS Affected versions: from libcurl 7.7 to and including 7.30.0 Not affected versions: libcurl before 7.7 and >= 7.31.0 libcurl is used by many applications, but not always advertised as such! 3. THE SOLUTION libcurl 7.31.0 implements a proper check that the following hexdigits are within the provided input length. 4. RECOMMENDATIONS We suggest you take one of the following actions immediately, in order of preference: A - Upgrade to curl and libcurl 7.31.0 B - Apply this patch and rebuild libcurl http://curl.haxx.se/libcurl-unescape.patch C - Double-check your curl_easy_unescape() usage (for example use it with the 'length' argument set to 0), or avoid using that function 5. TIME LINE Vulnerability found by Timo Sirainen. Patched by Daniel Stenberg. It was reported to the curl project on May 19th 2013. We contacted linux-distros on June 12th. curl 7.31.0 was released on June 22nd 2013, coordinated with the publication of this advisory. 6. CREDITS Reported by Timo Sirainen. Thanks a lot!
Submitted remaining fixes for openSUSE distributions. Reassigning to security-team.
This is an autogenerated message for OBS integration: This bug (824517) was mentioned in https://build.opensuse.org/request/show/181211 Evergreen:11.2 / curl
openSUSE-SU-2013:1132-1: An update that fixes one vulnerability is now available. Category: security (low) Bug References: 824517 CVE References: CVE-2013-2174 Sources used: openSUSE 12.3 (src): curl-7.28.1-4.17.1 openSUSE 12.2 (src): curl-7.25.0-2.16.1
openSUSE-SU-2013:1133-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 824517 CVE References: CVE-2013-2174 Sources used: openSUSE 11.4 (src): curl-7.21.2-33.1
This is an autogenerated message for OBS integration: This bug (824517) was mentioned in https://build.opensuse.org/request/show/181958 Evergreen:11.2 / curl
Update released for: curl, curl-debuginfo, curl-debugsource, libcurl-devel, libcurl4, libcurl4-32bit Products: SLE-SERVER 11-SP1-TERADATA (x86_64)
Update released for: curl, curl-devel Products: SUSE-CORE 9-SP3-TERADATA (x86_64)
Update released for: compat-curl2, compat-curl2-32bit, compat-curl2-64bit, compat-curl2-debuginfo, compat-curl2-x86 Products: SLE-DESKTOP 10-SP4 (i386, x86_64) SLE-SERVER 10-SP4 (i386, ia64, ppc, s390x, x86_64)
Update released for: curl, curl-debuginfo, curl-debugsource, libcurl-devel, libcurl4, libcurl4-32bit, libcurl4-x86 Products: SLE-DEBUGINFO 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLE-DESKTOP 11-SP2 (i386, x86_64) SLE-SDK 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLES4VMWARE 11-SP2 (i386, x86_64)
Update released for: libcurl4, libcurl4-32bit, libcurl4-debuginfo Products: SLE-DESKTOP 10-SP4 (i386, x86_64)
Update released for: curl, curl-debuginfo, curl-debugsource, libcurl-devel, libcurl4, libcurl4-32bit, libcurl4-x86 Products: SLE-DEBUGINFO 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLE-DESKTOP 11-SP3 (i386, x86_64) SLE-SDK 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLES4VMWARE 11-SP3 (i386, x86_64)
Update released for: curl, curl-32bit, curl-debuginfo, curl-devel Products: SLE-SERVER 10-SP3-TERADATA (x86_64)
Update released for: compat-curl2, compat-curl2-32bit, compat-curl2-debuginfo Products: SLE-SERVER 10-SP3-TERADATA (x86_64)
Update released for: curl, curl-32bit, curl-64bit, curl-debuginfo, curl-devel, curl-x86 Products: SLE-DESKTOP 10-SP4 (i386, x86_64) SLE-SDK 10-SP4 (i386, ia64, ppc, s390x, x86_64) SLE-SERVER 10-SP4 (i386, ia64, ppc, s390x, x86_64)
released
Update released for: curl, curl-debuginfo, curl-debugsource, libcurl-devel, libcurl4, libcurl4-32bit Products: SLE-DEBUGINFO 11-SP1 (i386, s390x, x86_64) SLE-SERVER 11-SP1-LTSS (i386, s390x, x86_64) SLES4VMWARE 11-SP1-LTSS (i386, x86_64)