Bug 2299653 (CVE-2024-6197) - CVE-2024-6197 curl: freeing stack buffer in utf8asn1str
Summary: CVE-2024-6197 curl: freeing stack buffer in utf8asn1str
Keywords:
Status: NEW
Alias: CVE-2024-6197
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2299802
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-07-24 08:21 UTC by OSIDB Bzimport
Modified: 2024-10-14 06:32 UTC (History)
20 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in cURL's utf8asn1str() function in the ASN1 parser, which causes a denial of service due to a memory allocation flaw. This flaw allows a remote attacker to use a specially crafted TLS certificate, causing the function to invoke free() on a 4-byte local stack buffer. While most modern malloc implementations detect and abort this error, some accept the pointer, leading to stack memory overwriting. This flaw likely results in a crash, though more serious consequences are possible in certain conditions.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2024-07-24 08:21:19 UTC 
libcurl's ASN1 parser has this utf8asn1str() function used for parsing an ASN.1 UTF-8 string. Itcan detect an invalid field and return error. Unfortunately, when doing so it also invokes `free()` on a 4 byte localstack buffer.  Most modern malloc implementations detect this error and immediately abort. Some however accept the input pointer and add that memory to its list of available chunks. This leads to the overwriting of nearby stack memory. The content of the overwrite is decided by the `free()` implementation; likely to be memory pointers and a set of flags.  The most likely outcome of exploting this flaw is a crash, although it cannot be ruled out that more serious results can be had in special circumstances.
Comment 1 TEJ RATHI 2024-07-25 06:20:52 UTC 
From advisory:

AFFECTED VERSIONS

The vulnerable code can only be reached when curl is built to use GnuTLS, wolfSSL, Schannel or Secure Transport. Builds using other TLS backends are not vulnerable.

    Affected versions: curl 8.6.0 to and including 8.8.0
    Not affected versions: curl < 8.6.0 and >= 8.9.0
    Introduced-in: https://github.com/curl/curl/commit/623c3a8fa0bdb2751f1 (8.6.0)
Note You need to log in before you can comment on or make changes to this bug.