175358 – CVE-2005-4077 not fixed by curl-7.13.1-4.fc4

Bug 175358 - CVE-2005-4077 not fixed by curl-7.13.1-4.fc4

Summary: CVE-2005-4077 not fixed by curl-7.13.1-4.fc4

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	curl
Sub Component:
Version:	4
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Ivana Varekova
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	175265
Blocks:
TreeView+	depends on / blocked

Reported:	2005-12-09 13:05 UTC by Wilfried Weissmann
Modified:	2007-11-30 22:11 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2005-12-12 14:32:58 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Wilfried Weissmann 2005-12-09 13:05:52 UTC

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20050922 Fedora/1.0.7-1.1.fc4 Firefox/1.0.7

Description of problem:
fedora core 4 is still affected by CVE-2005-4077! curl 7.13.1 and earlier need to allocate +3 bytes instead of +2 since the default path is '/' and not "\0" like it is in 7.15.1:

lib/url.c:2386
    /* Set default path */
    strcpy(conn->path, "/");

and then in:

lib/url.c:2451
    /* move the existing path plus the zero byte */
    memmove(conn->path+len+1, conn->path, strlen(conn->path)+1);

we need one additional byte for the \0, one for the heading '/' and one for the trailing '/' of the default path.

$ rpm -q curl
curl-7.13.1-4.fc4
$ curl '?0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0'
*** glibc detected *** curl: double free or corruption (!prev): 0x089b54a0 ***
======= Backtrace: =========
/lib/libc.so.6[0x903124]
/lib/libc.so.6(__libc_free+0x77)[0x90365f]
/usr/lib/libcurl.so.3(Curl_safefree+0x24)[0x7dc01c]
/usr/lib/libcurl.so.3(Curl_disconnect+0xcf)[0x7dc32d]
/usr/lib/libcurl.so.3(Curl_connect+0x7f3)[0x7dede2]
/usr/lib/libcurl.so.3[0x7e8c7d]
/usr/lib/libcurl.so.3(Curl_perform+0xe3)[0x7eaf3c]
/usr/lib/libcurl.so.3(curl_easy_perform+0x36)[0x7eb50b]
curl[0x804e642]
/lib/libc.so.6(__libc_start_main+0xdf)[0x8b4d5f]
curl[0x8049861]
======= Memory map: ========
00101000-0012f000 r-xp 00000000 fd:00 14336973   /usr/lib/libidn.so.11.5.8
0012f000-00131000 rwxp 0002d000 fd:00 14336973   /usr/lib/libidn.so.11.5.8
00131000-0013a000 r-xp 00000000 fd:00 18087988   /lib/libnss_files-2.3.5.so
0013a000-0013b000 r-xp 00008000 fd:00 18087988   /lib/libnss_files-2.3.5.so
0013b000-0013c000 rwxp 00009000 fd:00 18087988   /lib/libnss_files-2.3.5.so
0013c000-00144000 r-xp 00000000 fd:00 18087993   /lib/libnss_nis-2.3.5.so
00144000-00145000 r-xp 00007000 fd:00 18087993   /lib/libnss_nis-2.3.5.so
00145000-00146000 rwxp 00008000 fd:00 18087993   /lib/libnss_nis-2.3.5.so
002a0000-002a2000 r-xp 00000000 fd:00 18088064   /lib/libcom_err.so.2.1
002a2000-002a3000 rwxp 00001000 fd:00 18088064   /lib/libcom_err.so.2.1
002a5000-002a7000 r-xp 00000000 fd:00 14328902   /usr/lib/libkrb5support.so.0.0
002a7000-002a8000 rwxp 00001000 fd:00 14328902   /usr/lib/libkrb5support.so.0.0
002aa000-002cd000 r-xp 00000000 fd:00 14336958   /usr/lib/libk5crypto.so.3.0
002cd000-002ce000 rwxp 00023000 fd:00 14336958   /usr/lib/libk5crypto.so.3.0
0032e000-0039d000 r-xp 00000000 fd:00 14324228   /usr/lib/libkrb5.so.3.2
0039d000-003a0000 rwxp 0006e000 fd:00 14324228   /usr/lib/libkrb5.so.3.2
003a2000-0049a000 r-xp 00000000 fd:00 18088047   /lib/libcrypto.so.0.9.7f
0049a000-004ac000 rwxp 000f8000 fd:00 18088047   /lib/libcrypto.so.0.9.7f
004ac000-004af000 rwxp 004ac000 00:00 0
004b7000-004ce000 r-xp 00000000 fd:00 14332639   /usr/lib/libgssapi_krb5.so.2.2
004ce000-004cf000 rwxp 00017000 fd:00 14332639   /usr/lib/libgssapi_krb5.so.2.2
004d1000-00506000 r-xp 00000000 fd:00 18089847   /lib/libssl.so.0.9.7f
00506000-00509000 rwxp 00035000 fd:00 18089847   /lib/libssl.so.0.9.7f
007aa000-007b3000 r-xp 00000000 fd:00 18087966   /lib/libgcc_s-4.0.2-20051126.so.1
007b3000-007b4000 rwxp 00009000 fd:00 18087966   /lib/libgcc_s-4.0.2-20051126.so.1
007c7000-007fa000 r-xp 00000000 fd:00 14327343   /usr/lib/libcurl.so.3.0.0
007fa000-007fb000 rwxp 00033000 fd:00 14327343   /usr/lib/libcurl.so.3.0.0
00882000-0089c000 r-xp 00000000 fd:00 18088978   /lib/ld-2.3.5.so
0089c000-0089d000 r-xp 00019000 fd:00 18088978   /lib/ld-2.3.5.so
0089d000-0089e000 rwxp 0001a000 fd:00 18088978   /lib/ld-2.3.5.so
008a0000-009c3000 r-xp 00000000 fd:00 18088995   /lib/libc-2.3.5.so
009c3000-009c5000 r-xp 00123000 fd:00 18088995   /lib/libc-2.3.5.so
009c5000-009c7000 rwxp 00125000 fd:00 18088995   /lib/libc-2.3.5.so
009c7000-009c9000 rwxp 009c7000 00:00 0
009f2000-009f4000 r-xp 00000000 fd:00 18089002   /lib/libdl-2.3.5.so
009f4000-009f5000 r-xp 00001000 fd:00 18089002   /lib/libdl-2.3.5.so
009f5000-009f6000 rwxp 00002000 fd:00 18089002   /lib/libdl-2.3.5.so
009f8000-00a0a000 r-xp 00000000 fd:00 14336912   /usr/lib/libz.so.1.2.2.2
00a0a000-00a0b000 rwxp 00011000 fd:00 14336912   /usr/lib/libz.so.1.2.2.2
00a8e000-00a8f000 r-xp 00a8e000 00:00 0          [vdso]
00c01000-00c10000 r-xp 00000000 fd:00 18089008   /lib/libresolv-2.3.5.so
00c10000-00c11000 r-xp 0000e000 fd:00 18089008   /lib/libresolv-2.3.5.so
00c11000-00c12000 rwxp 0000f000 fd:00 18089008   /lib/libresolv-2.3.5.so
00c12000-00c14000 rwxp 00c12000 00:00 0
00dc0000-00dc4000 r-xp 00000000 fd:00 18087985   /lib/libnss_dns-2.3.5.so
00dc4000-00dc5000 r-xp 00003000 fd:00 18087985   /lib/libnss_dns-2.3.5.so
00dc5000-00dc6000 rwxp 00004000 fd:00 18087985   /lib/libnss_dns-2.3.5.so
0520e000-05220000 r-xp 00000000 fd:00 18089726   /lib/libnsl-2.3.5.so
05220000-05221000 r-xp 00011000 fd:00 18089726   /lib/liAborted

Version-Release number of selected component (if applicable):
curl-7.13.1-4.fc4

How reproducible:
Always

Steps to Reproduce:
1. execute the following command:
curl '?0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0'
  

Actual Results:  sigsegv

Expected Results:  abort with unresolvable hostname error

Additional info:

Comment 1 Wilfried Weissmann 2005-12-09 13:21:14 UTC

... and please add the "Security Sensitive Bug" checkbox to the guided new bug
dialog!

Comment 2 Ivana Varekova 2005-12-12 14:32:58 UTC

Thank you very much for your bug report, you are absolutely right. 
This problem is fixed in curl-7.13.1-5.fc4 and curl-7.12.3-6.fc3 versions.

Comment 3 Daniel Stenberg 2005-12-12 22:16:18 UTC

It seems 7.14.0 and earlier needs this +3 version.

Comment 4 Daniel Stenberg 2005-12-12 23:20:47 UTC

I would *REALLY* appreciate if you could let me know the next time you find or
get a security flaw reported here (me being curl and libcurl maintainer and
developer). This additional info had not been identified before and it does
affect a lot of more users than Redhat users. You clearly have known this for
several days.

Comment 5 Ivana Varekova 2005-12-13 10:21:47 UTC

Hello Daniel,
I added you to curl bug list so you will get announcments about all curl bugs.
If you does not want to be on this list, please write me a message.

Note You need to log in before you can comment on or make changes to this bug.