Bug 2299654 (CVE-2024-6874) - CVE-2024-6874 curl: macidn punycode buffer overread
Summary: CVE-2024-6874 curl: macidn punycode buffer overread
Keywords:
Status: NEW
Alias: CVE-2024-6874
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-07-24 08:21 UTC by OSIDB Bzimport
Modified: 2025-05-16 08:28 UTC (History)
17 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2024-07-24 08:21:32 UTC 
libcurl's URL API function
[curl_url_get()](https://curl.se/libcurl/c/curl_url_get.html) offers punycode
conversions, to and from IDN. Asking to convert a name that is exactly 256
bytes, libcurl ends up reading outside of a stack based buffer when built to
use the *macidn* IDN backend. The conversion function then fills up the
provided buffer exactly - but does not null terminate the string.

This flaw can lead to stack contents accidently getting returned as part of
the converted string.
Comment 1 TEJ RATHI 2024-07-25 06:26:54 UTC 
From Advisory:

AFFECTED VERSIONS

The vulnerable code can only be reached when curl is built to use macidn, the native IDN conversion library bundled with Apple's operating systems: macOS, iOS, ipadOS etc. Builds using other IDN backends are not vulnerable.

    Affected version: curl 8.8.0
    Not affected versions: curl < 8.8.0 and >= 8.9.0
    Introduced-in: https://github.com/curl/curl/commit/add22feeef07858307be57
Note You need to log in before you can comment on or make changes to this bug.