Bug 934502 (CVE-2015-3237) - VUL-1: CVE-2015-3237: curl: SMB send off unrelated memory contents
Summary: VUL-1: CVE-2015-3237: curl: SMB send off unrelated memory contents
Status: RESOLVED FIXED
Alias: CVE-2015-3237
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other openSUSE 13.2
: P4 - Low : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-06-12 07:22 UTC by Andreas Stieger
Modified: 2015-06-24 14:22 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Andreas Stieger 2015-06-12 13:07:07 UTC 
openSUSE:13.1:Update 7.42.1 affected
openSUSE:13.2:Update 7.42.1 affected
openSUSE Tumbleweed  7.42.1 affected

SLE not affected.
Comment 2 Swamp Workflow Management 2015-06-12 22:01:43 UTC 
bugbot adjusting priority
Comment 3 Andreas Stieger 2015-06-17 12:05:19 UTC 
public at http://curl.haxx.se/docs/adv_20150617B.html

SMB send off unrelated memory contents

Project cURL Security Advisory, June 17th 2015 - Permalink
VULNERABILITY

libcurl can get tricked by a malicious SMB server to send off data it did not intend to.

In libcurl's state machine function handling the SMB protocol (smb_request_state()), two length and offset values are extracted from data that has arrived over the network, and those values are subsequently used to figure out what data range to send back.

The values are used and trusted without boundary checks and are just assumed to be valid. This allows carefully handicrafted packages to trick libcurl into responding and sending off data that was not intended. Or just crash if the values cause libcurl to access invalid memory.

We are not aware of any exploit of this flaw.
INFO

This flaw can also affect the curl command line tool if a similar operation series is made with that.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2015-3237 to this issue.
AFFECTED VERSIONS

This flaw is relevant for

    Affected versions: libcurl 7.40.0 to and including 7.42.1
    Not affected versions: libcurl < 7.40.0 and libcurl >= 7.43.0

libcurl is used by many applications, but not always advertised as such!
THE SOLUTION

In version 7.43.0, libcurl properly range checks the values before they are used.

A patch for this problem that changes the default is available at (URL will be updated in final advisory):

http://curl.haxx.se/CVE-2015-3237.patch

RECOMMENDATIONS

We suggest you take one of the following actions immediately, in order of preference:

A - Upgrade curl and libcurl to version 7.43.0

B - Apply the patch to your version and rebuild

C - Avoid using the SMB protocol
TIME LINE

It was first brought up with the curl-security team on May 22 2015. We contacted distros@openwall on June 11.

libcurl 7.43.0 was released on June 17 2015, coordinated with the publication of this advisory.
CREDITS

Spotted by Daniel Stenberg.

Thanks a lot!
Comment 4 Bernhard Wiedemann 2015-06-17 15:00:14 UTC 
This is an autogenerated message for OBS integration:
This bug (934502) was mentioned in
https://build.opensuse.org/request/show/312422 13.2+13.1 / curl
Comment 5 Andreas Stieger 2015-06-17 15:38:26 UTC 
update running
Comment 6 Swamp Workflow Management 2015-06-24 13:07:10 UTC 
openSUSE-SU-2015:1135-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 851126,934501,934502
CVE References: CVE-2015-3236,CVE-2015-3237
Sources used:
openSUSE 13.2 (src):    curl-7.42.1-16.1
openSUSE 13.1 (src):    curl-7.42.1-2.47.1
Comment 7 Marcus Meissner 2015-06-24 14:22:08 UTC 
released