On Wed, Jul 24, 2024 at 08:34:35AM +0200, Daniel Stenberg wrote: > freeing stack buffer in utf8asn1str > =================================== > > Project curl Security Advisory, July 24th 2024 - > [Permalink](https://curl.se/docs/CVE-2024-6197.html) > > VULNERABILITY > ------------- > > libcurl's ASN1 parser has this utf8asn1str() function used for parsing an > ASN.1 UTF-8 string. It can detect an invalid field and return error. > Unfortunately, when doing so it also invokes `free()` on a 4 byte local stack > buffer. > > Most modern malloc implementations detect this error and immediately abort. > Some however accept the input pointer and add that memory to its list of > available chunks. This leads to the overwriting of nearby stack memory. The > content of the overwrite is decided by the `free()` implementation; likely to > be memory pointers and a set of flags.
Which implementations are known to deterministically abort immediately? This determines if this is denial of service only or if it could lead to code execution. > The most likely outcome of exploting this flaw is a crash, although it cannot > be ruled out that more serious results can be had in special circumstances. > > INFO > ---- > > The vulnerable code path can be triggered by a malicious server offering an > especially crafted TLS certificate. > > This bug was introduced in a code refactor shipped in the curl 8.6.0 release > and is considered a *C mistake* (likely to have been avoided had we not been > using C). > > This flaw also affects the curl command line tool. > > The Common Vulnerabilities and Exposures (CVE) project has assigned the name > CVE-2024-6197 to this issue. > > CWE-590: Free of Memory not on the Heap > > Severity: Medium > > AFFECTED VERSIONS > ----------------- > > The vulnerable code can only be reached when curl is built to use GnuTLS, > wolfSSL, Schannel or Secure Transport. Builds using other TLS backends are not > vulnerable. > > - Affected versions: curl 8.6.0 to and including 8.8.0 > - Not affected versions: curl < 8.6.0 and >= 8.9.0 > - Introduced-in: https://github.com/curl/curl/commit/623c3a8fa0bdb2751f1 > > libcurl is used by many applications, but not always advertised as such! > > SOLUTION > ------------ > > - Fixed-in: https://github.com/curl/curl/commit/3a537a4db9e65e545 > > RECOMMENDATIONS > --------------- > > We suggest you take one of the following actions immediately, in order of > preference: > > A - Upgrade curl and libcurl to version 8.9.0 > > B - Apply the patch to your version and rebuild > > C - Build your libcurl with an unaffected TLS backend > > TIMELINE > --------- > > This issue was reported to the curl project on June 19, 2024. We contacted > distros@openwall on July 15, 2024. > > curl 8.9.0 was released on July 24 2024 around 06:00 UTC, coordinated with > the publication of this advisory. > > CREDITS > ------- > > - Reported-by: z2_ > - Patched-by: z2_ > > Thanks a lot! > > -- > > / daniel.haxx.se > | Commercial curl support up to 24x7 is available! > | Private help, bug fixes, support, ports, new features > | https://curl.se/support.html -- Sincerely, Demi Marie Obenour (she/her/hers) Invisible Things Lab
signature.asc
Description: PGP signature
