Bug 175358
| Summary: | CVE-2005-4077 not fixed by curl-7.13.1-4.fc4 | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Wilfried Weissmann <wilfried.weissmann> |
| Component: | curl | Assignee: | Ivana Varekova <varekova> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 4 | CC: | bressers, daniel |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2005-12-12 14:32:58 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 175265 | ||
| Bug Blocks: | |||
... and please add the "Security Sensitive Bug" checkbox to the guided new bug dialog! Thank you very much for your bug report, you are absolutely right. This problem is fixed in curl-7.13.1-5.fc4 and curl-7.12.3-6.fc3 versions. It seems 7.14.0 and earlier needs this +3 version. I would *REALLY* appreciate if you could let me know the next time you find or get a security flaw reported here (me being curl and libcurl maintainer and developer). This additional info had not been identified before and it does affect a lot of more users than Redhat users. You clearly have known this for several days. Hello Daniel, I added you to curl bug list so you will get announcments about all curl bugs. If you does not want to be on this list, please write me a message. |
From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20050922 Fedora/1.0.7-1.1.fc4 Firefox/1.0.7 Description of problem: fedora core 4 is still affected by CVE-2005-4077! curl 7.13.1 and earlier need to allocate +3 bytes instead of +2 since the default path is '/' and not "\0" like it is in 7.15.1: lib/url.c:2386 /* Set default path */ strcpy(conn->path, "/"); and then in: lib/url.c:2451 /* move the existing path plus the zero byte */ memmove(conn->path+len+1, conn->path, strlen(conn->path)+1); we need one additional byte for the \0, one for the heading '/' and one for the trailing '/' of the default path. $ rpm -q curl curl-7.13.1-4.fc4 $ curl '?0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0' *** glibc detected *** curl: double free or corruption (!prev): 0x089b54a0 *** ======= Backtrace: ========= /lib/libc.so.6[0x903124] /lib/libc.so.6(__libc_free+0x77)[0x90365f] /usr/lib/libcurl.so.3(Curl_safefree+0x24)[0x7dc01c] /usr/lib/libcurl.so.3(Curl_disconnect+0xcf)[0x7dc32d] /usr/lib/libcurl.so.3(Curl_connect+0x7f3)[0x7dede2] /usr/lib/libcurl.so.3[0x7e8c7d] /usr/lib/libcurl.so.3(Curl_perform+0xe3)[0x7eaf3c] /usr/lib/libcurl.so.3(curl_easy_perform+0x36)[0x7eb50b] curl[0x804e642] /lib/libc.so.6(__libc_start_main+0xdf)[0x8b4d5f] curl[0x8049861] ======= Memory map: ======== 00101000-0012f000 r-xp 00000000 fd:00 14336973 /usr/lib/libidn.so.11.5.8 0012f000-00131000 rwxp 0002d000 fd:00 14336973 /usr/lib/libidn.so.11.5.8 00131000-0013a000 r-xp 00000000 fd:00 18087988 /lib/libnss_files-2.3.5.so 0013a000-0013b000 r-xp 00008000 fd:00 18087988 /lib/libnss_files-2.3.5.so 0013b000-0013c000 rwxp 00009000 fd:00 18087988 /lib/libnss_files-2.3.5.so 0013c000-00144000 r-xp 00000000 fd:00 18087993 /lib/libnss_nis-2.3.5.so 00144000-00145000 r-xp 00007000 fd:00 18087993 /lib/libnss_nis-2.3.5.so 00145000-00146000 rwxp 00008000 fd:00 18087993 /lib/libnss_nis-2.3.5.so 002a0000-002a2000 r-xp 00000000 fd:00 18088064 /lib/libcom_err.so.2.1 002a2000-002a3000 rwxp 00001000 fd:00 18088064 /lib/libcom_err.so.2.1 002a5000-002a7000 r-xp 00000000 fd:00 14328902 /usr/lib/libkrb5support.so.0.0 002a7000-002a8000 rwxp 00001000 fd:00 14328902 /usr/lib/libkrb5support.so.0.0 002aa000-002cd000 r-xp 00000000 fd:00 14336958 /usr/lib/libk5crypto.so.3.0 002cd000-002ce000 rwxp 00023000 fd:00 14336958 /usr/lib/libk5crypto.so.3.0 0032e000-0039d000 r-xp 00000000 fd:00 14324228 /usr/lib/libkrb5.so.3.2 0039d000-003a0000 rwxp 0006e000 fd:00 14324228 /usr/lib/libkrb5.so.3.2 003a2000-0049a000 r-xp 00000000 fd:00 18088047 /lib/libcrypto.so.0.9.7f 0049a000-004ac000 rwxp 000f8000 fd:00 18088047 /lib/libcrypto.so.0.9.7f 004ac000-004af000 rwxp 004ac000 00:00 0 004b7000-004ce000 r-xp 00000000 fd:00 14332639 /usr/lib/libgssapi_krb5.so.2.2 004ce000-004cf000 rwxp 00017000 fd:00 14332639 /usr/lib/libgssapi_krb5.so.2.2 004d1000-00506000 r-xp 00000000 fd:00 18089847 /lib/libssl.so.0.9.7f 00506000-00509000 rwxp 00035000 fd:00 18089847 /lib/libssl.so.0.9.7f 007aa000-007b3000 r-xp 00000000 fd:00 18087966 /lib/libgcc_s-4.0.2-20051126.so.1 007b3000-007b4000 rwxp 00009000 fd:00 18087966 /lib/libgcc_s-4.0.2-20051126.so.1 007c7000-007fa000 r-xp 00000000 fd:00 14327343 /usr/lib/libcurl.so.3.0.0 007fa000-007fb000 rwxp 00033000 fd:00 14327343 /usr/lib/libcurl.so.3.0.0 00882000-0089c000 r-xp 00000000 fd:00 18088978 /lib/ld-2.3.5.so 0089c000-0089d000 r-xp 00019000 fd:00 18088978 /lib/ld-2.3.5.so 0089d000-0089e000 rwxp 0001a000 fd:00 18088978 /lib/ld-2.3.5.so 008a0000-009c3000 r-xp 00000000 fd:00 18088995 /lib/libc-2.3.5.so 009c3000-009c5000 r-xp 00123000 fd:00 18088995 /lib/libc-2.3.5.so 009c5000-009c7000 rwxp 00125000 fd:00 18088995 /lib/libc-2.3.5.so 009c7000-009c9000 rwxp 009c7000 00:00 0 009f2000-009f4000 r-xp 00000000 fd:00 18089002 /lib/libdl-2.3.5.so 009f4000-009f5000 r-xp 00001000 fd:00 18089002 /lib/libdl-2.3.5.so 009f5000-009f6000 rwxp 00002000 fd:00 18089002 /lib/libdl-2.3.5.so 009f8000-00a0a000 r-xp 00000000 fd:00 14336912 /usr/lib/libz.so.1.2.2.2 00a0a000-00a0b000 rwxp 00011000 fd:00 14336912 /usr/lib/libz.so.1.2.2.2 00a8e000-00a8f000 r-xp 00a8e000 00:00 0 [vdso] 00c01000-00c10000 r-xp 00000000 fd:00 18089008 /lib/libresolv-2.3.5.so 00c10000-00c11000 r-xp 0000e000 fd:00 18089008 /lib/libresolv-2.3.5.so 00c11000-00c12000 rwxp 0000f000 fd:00 18089008 /lib/libresolv-2.3.5.so 00c12000-00c14000 rwxp 00c12000 00:00 0 00dc0000-00dc4000 r-xp 00000000 fd:00 18087985 /lib/libnss_dns-2.3.5.so 00dc4000-00dc5000 r-xp 00003000 fd:00 18087985 /lib/libnss_dns-2.3.5.so 00dc5000-00dc6000 rwxp 00004000 fd:00 18087985 /lib/libnss_dns-2.3.5.so 0520e000-05220000 r-xp 00000000 fd:00 18089726 /lib/libnsl-2.3.5.so 05220000-05221000 r-xp 00011000 fd:00 18089726 /lib/liAborted Version-Release number of selected component (if applicable): curl-7.13.1-4.fc4 How reproducible: Always Steps to Reproduce: 1. execute the following command: curl '?0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0' Actual Results: sigsegv Expected Results: abort with unresolvable hostname error Additional info: