Bug 1902687 (CVE-2020-8285) - CVE-2020-8285 curl: Malicious FTP server can trigger stack overflow when CURLOPT_CHUNK_BGN_FUNCTION is used
Summary: CVE-2020-8285 curl: Malicious FTP server can trigger stack overflow when CURL...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-8285
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1905124 1905126 1902889 1902890 1905123 1906110 1906112 1906114 1906116
Blocks: 1902669
TreeView+ depends on / blocked
 
Reported: 2020-11-30 12:21 UTC by Marian Rehak
Modified: 2021-06-17 11:45 UTC (History)
41 users (show)

See Also:
Fixed In Version: curl 7.74.0
Doc Type: If docs needed, set a value
Doc Text:
Libcurl offers a wildcard matching functionality, which allows a callback (set with `CURLOPT_CHUNK_BGN_FUNCTION`) to return information back to libcurl on how to handle a specific entry in a directory when libcurl iterates over a list of all available entries. When this callback returns `CURL_CHUNK_BGN_FUNC_SKIP`, to tell libcurl to not deal with that file, the internal function in libcurl then calls itself recursively to handle the next directory entry. If there's a sufficient amount of file entries and if the callback returns "skip" enough number of times, libcurl runs out of stack space. The exact amount will of course vary with platforms, compilers and other environmental factors.
Clone Of:
Environment:
Last Closed: 2021-05-18 20:37:31 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:2471 0 None None None 2021-06-17 11:35:42 UTC
Red Hat Product Errata RHSA-2021:2472 0 None None None 2021-06-17 11:45:34 UTC

Description Marian Rehak 2020-11-30 12:21:34 UTC
libcurl offers a wildcard matching functionality, which allows a callback (set with `CURLOPT_CHUNK_BGN_FUNCTION`) to return information back to libcurl on how to handle a specific entry in a directory when libcurl iterates over a list of all available entries. When this callback returns `CURL_CHUNK_BGN_FUNC_SKIP`, to tell libcurl to not deal with that file, the internal function in libcurl then calls itself recursively to handle the next directory entry. If there's a sufficient amount of file entries and if the callback returns "skip" enough number of times, libcurl runs out of stack space. The exact amount will of course vary with platforms, compilers and other environmental factors.

Comment 2 Todd Cullum 2020-11-30 22:39:12 UTC
Flaw summary:

A malicious server whose filesystem is configured in a crafted way, could crash an application using libcurl as a dependency, by causing a stack overflow via uncontrolled recursion. This could result in a temporary denial of service.

Note that the curl program itself is not affected, as it does not use the affected functionality of libcurl.

Comment 3 Todd Cullum 2020-11-30 22:42:34 UTC
Mitigation:

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

Comment 10 Guilherme de Almeida Suckevicz 2020-12-09 17:19:01 UTC
Created curl tracking bugs for this issue:

Affects: fedora-all [bug 1906110]


Created flickcurl tracking bugs for this issue:

Affects: epel-7 [bug 1906116]
Affects: fedora-all [bug 1906114]


Created mingw-curl tracking bugs for this issue:

Affects: fedora-all [bug 1906112]

Comment 11 Todd Cullum 2020-12-09 18:51:03 UTC
Acknowledgments:

Name: Varnavas Papaioannou

Comment 12 Todd Cullum 2020-12-09 18:53:18 UTC
External References:

https://github.com/curl/curl/issues/6255
https://curl.se/docs/CVE-2020-8285.html

Comment 13 Tomas Hoger 2021-04-07 08:03:20 UTC
Upstream commit:

https://github.com/curl/curl/commit/69a358f2186e04

Comment 14 errata-xmlrpc 2021-05-18 13:40:34 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:1610 https://access.redhat.com/errata/RHSA-2021:1610

Comment 15 Product Security DevOps Team 2021-05-18 20:37:31 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-8285

Comment 17 errata-xmlrpc 2021-06-17 11:35:31 UTC
This issue has been addressed in the following products:

  JBoss Core Services Apache HTTP Server 2.4.37 SP8

Via RHSA-2021:2471 https://access.redhat.com/errata/RHSA-2021:2471

Comment 18 errata-xmlrpc 2021-06-17 11:45:23 UTC
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 7
  JBoss Core Services for RHEL 8

Via RHSA-2021:2472 https://access.redhat.com/errata/RHSA-2021:2472


Note You need to log in before you can comment on or make changes to this bug.