Bugzilla – Bug 927607
VUL-0: CVE-2015-3145: curl: cookie parser out of boundary memory access
Last modified: 2015-06-18 08:37:53 UTC
bugbot adjusting priority
Created attachment 631532 [details] CVE-2015-3145.patch CVE-2015-3145.patch
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2015-05-04. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/61571
This is an autogenerated message for OBS integration: This bug (927607) was mentioned in https://build.opensuse.org/request/show/298499 13.2+13.1 / curl
public via http://curl.haxx.se/docs/adv_20150422C.html cookie parser out of boundary memory access =========================================== Project cURL Security Advisory, April 22nd 2015 - [Permalink](http://curl.haxx.se/docs/adv_20150422C.html) VULNERABILITY ------------- libcurl supports HTTP "cookies" as documented in RFC 6265. Together with each individual cookie there are several different properties, but for this vulnerability we focus on the associated "path" element. It tells information about for which path on a given host the cookies is valid. The internal libcurl function called `sanitize_cookie_path()` that cleans up the path element as given to it from a remote site or when read from a file, did not properly validate the input. If given a path that consisted of a single double-quote, libcurl would index a newly allocated memory area with index -1 and assign a zero to it, thus destroying heap memory it wasn't supposed to. At best, this gets unnoticed but can also lead to a crash or worse. We have not researched further what kind of malicious actions that potentially this could be used for. Applications have to explicitly enable cookie parsing in libcurl for this problem to trigger, and if not enabled libcurl will not hit this problem. We are not aware of any exploits of this flaw. INFO ---- This flaw can also affect the curl command line tool if a similar operation series is made with that. The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2015-3145 to this issue. AFFECTED VERSIONS ----------------- - Affected versions: from libcurl 7.31.0 to and including 7.41.0 - Not affected versions: libcurl >= 7.42.0 libcurl is used by many applications, but not always advertised as such! THE SOLUTION ------------ libcurl 7.42.0 better verifies the input string. A patch for this problem is available at [URL will be updated]: http://curl.haxx.se/CVE-2015-3145.patch RECOMMENDATIONS --------------- We suggest you take one of the following actions immediately, in order of preference: A - Upgrade to curl and libcurl 7.42.0 B - Apply the patch and rebuild libcurl C - Avoid using cookies with libcurl TIME LINE --------- It was first reported to the curl project on April 16 2015. We contacted distros@openwall on April 17th. libcurl 7.42.0 was released on April 22nd 2015, coordinated with the publication of this advisory. CREDITS ------- Reported by Hanno Böck Thanks a lot!
openSUSE-SU-2015:0799-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 927556,927607,927608,927746 CVE References: CVE-2015-3143,CVE-2015-3144,CVE-2015-3145,CVE-2015-3148 Sources used: openSUSE 13.2 (src): curl-7.42.0-7.1 openSUSE 13.1 (src): curl-7.42.0-2.38.1
SUSE-SU-2015:0990-1: An update that fixes 5 vulnerabilities is now available. Category: security (moderate) Bug References: 927556,927607,927608,927746,928533 CVE References: CVE-2015-3143,CVE-2015-3144,CVE-2015-3145,CVE-2015-3148,CVE-2015-3153 Sources used: SUSE Linux Enterprise Software Development Kit 12 (src): curl-7.37.0-15.1 SUSE Linux Enterprise Server 12 (src): curl-7.37.0-15.1 SUSE Linux Enterprise Desktop 12 (src): curl-7.37.0-15.1
was released