Bug 1233814 (CVE-2015-3237)

Summary: CVE-2015-3237 curl: SMB send off unrelated memory contents
Product: [Other] Security Response Reporter: Vasyl Kaigorodov <vkaigoro>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: ceph-eng-bugs, kdudka, paul
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: curl 7.43.0 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-07-07 12:08:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1233818    
Bug Blocks: 1233817    

Description Vasyl Kaigorodov 2015-06-19 13:54:08 UTC 
http://curl.haxx.se/docs/adv_20150617B.html

SMB send off unrelated memory contents

Project cURL Security Advisory, June 17th 2015 - Permalink
VULNERABILITY

libcurl can get tricked by a malicious SMB server to send off data it did not intend to.

In libcurl's state machine function handling the SMB protocol (smb_request_state()), two length and offset values are extracted from data that has arrived over the network, and those values are subsequently used to figure out what data range to send back.

The values are used and trusted without boundary checks and are just assumed to be valid. This allows carefully handicrafted packages to trick libcurl into responding and sending off data that was not intended. Or just crash if the values cause libcurl to access invalid memory.

We are not aware of any exploit of this flaw.
INFO

This flaw can also affect the curl command line tool if a similar operation series is made with that.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2015-3237 to this issue.
AFFECTED VERSIONS

This flaw is relevant for

    Affected versions: libcurl 7.40.0 to and including 7.42.1
    Not affected versions: libcurl < 7.40.0 and libcurl >= 7.43.0

libcurl is used by many applications, but not always advertised as such!
THE SOLUTION

In version 7.43.0, libcurl properly range checks the values before they are used.

A patch for this problem that changes the default is available at (URL will be updated in final advisory):

http://curl.haxx.se/CVE-2015-3237.patch
 http://curl.haxx.se/docs/adv_20150617B.html

SMB send off unrelated memory contents

Project cURL Security Advisory, June 17th 2015 - Permalink
VULNERABILITY

libcurl can get tricked by a malicious SMB server to send off data it did not intend to.

In libcurl's state machine function handling the SMB protocol (smb_request_state()), two length and offset values are extracted from data that has arrived over the network, and those values are subsequently used to figure out what data range to send back.

The values are used and trusted without boundary checks and are just assumed to be valid. This allows carefully handicrafted packages to trick libcurl into responding and sending off data that was not intended. Or just crash if the values cause libcurl to access invalid memory.

We are not aware of any exploit of this flaw.
INFO

This flaw can also affect the curl command line tool if a similar operation series is made with that.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2015-3237 to this issue.
AFFECTED VERSIONS

This flaw is relevant for

    Affected versions: libcurl 7.40.0 to and including 7.42.1
    Not affected versions: libcurl < 7.40.0 and libcurl >= 7.43.0

libcurl is used by many applications, but not always advertised as such!
THE SOLUTION

In version 7.43.0, libcurl properly range checks the values before they are used.

A patch for this problem that changes the default is available at (URL will be updated in final advisory):

http://curl.haxx.se/CVE-2015-3237.patch

Acknowledgements:

Red Hat would like to thank curl upstream for reporting this issue. Upstream acknowledges Daniel Stenberg as the original reporter.
Comment 1 Vasyl Kaigorodov 2015-06-19 14:00:46 UTC 
Created curl tracking bugs for this issue:

Affects: fedora-all [bug 1233818]
Comment 3 Fedora Update System 2015-06-24 15:59:21 UTC 
curl-7.40.0-5.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 4 Stefan Cornelius 2015-07-07 11:44:11 UTC 
SMB/CIFS support was added in version 7.40.0, released January 8 2015. None of the RHEL variants or ceph ship a version >7.40.0 or contain this functionality. Thus, they are not affected.

Statement:

This issue did not affect the versions of curl as shipped with Red Hat Enterprise Linux 5, 6, and 7, as they did not include support for SMB/CIFS.
Comment 5 Stefan Cornelius 2015-07-07 12:08:41 UTC 
Fedora is fixed, so we can close this.