Bug 2299653 (CVE-2024-6197)

Summary: CVE-2024-6197 curl: freeing stack buffer in utf8asn1str
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: adudiak, bdettelb, crizzo, csutherl, dfreiber, doconnor, drow, jburrell, jclere, jmitchel, jtanner, kshier, omaciel, pjindal, plodge, stcannon, szappis, teagle, vkumar, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in cURL's utf8asn1str() function in the ASN1 parser, which causes a denial of service due to a memory allocation flaw. This flaw allows a remote attacker to use a specially crafted TLS certificate, causing the function to invoke free() on a 4-byte local stack buffer. While most modern malloc implementations detect and abort this error, some accept the pointer, leading to stack memory overwriting. This flaw likely results in a crash, though more serious consequences are possible in certain conditions.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2299802    
Bug Blocks:    

Description OSIDB Bzimport 2024-07-24 08:21:19 UTC 
libcurl's ASN1 parser has this utf8asn1str() function used for parsing an ASN.1 UTF-8 string. Itcan detect an invalid field and return error. Unfortunately, when doing so it also invokes `free()` on a 4 byte localstack buffer.  Most modern malloc implementations detect this error and immediately abort. Some however accept the input pointer and add that memory to its list of available chunks. This leads to the overwriting of nearby stack memory. The content of the overwrite is decided by the `free()` implementation; likely to be memory pointers and a set of flags.  The most likely outcome of exploting this flaw is a crash, although it cannot be ruled out that more serious results can be had in special circumstances.
Comment 1 TEJ RATHI 2024-07-25 06:20:52 UTC 
From advisory:

AFFECTED VERSIONS

The vulnerable code can only be reached when curl is built to use GnuTLS, wolfSSL, Schannel or Secure Transport. Builds using other TLS backends are not vulnerable.

    Affected versions: curl 8.6.0 to and including 8.8.0
    Not affected versions: curl < 8.6.0 and >= 8.9.0
    Introduced-in: https://github.com/curl/curl/commit/623c3a8fa0bdb2751f1 (8.6.0)