Curl versions 7.14.1 through 7.61.1 are vulnerable to a heap-based buffer over-read in the tool_msgs.c:voutf() function.
This display function formats the output to wrap at 80 columns. The wrap logic is however flawed, so if a single word in the message is itself longer than 80 bytes the buffer arithmetic calculates the remainder wrong and will end up reading behind the end of the buffer. This could lead to information disclosure or crash.
Name: the Curl project
Upstream: Brian Carpenter (Geeknik Labs)
Created curl tracking bugs for this issue:
Affects: fedora-all [bug 1644558]
Created mingw-curl tracking bugs for this issue:
Affects: epel-7 [bug 1644559]
It should be noted that this issue only affects the curl command line tool, it does not affect the libcurl library. The flaw is in the function that formats curl's warning and notice messages. Messages are wrapped to 80 characters per line and hence long messages are split across multiple lines. Those messages are used to print information about invalid or malformed options specified for the tool, hence they only contain trusted input in most use case and no trust boundary is crossed when invalid option is specified. There does not seem to be any use of the warning function for printing any data from the remote servers.
The impact of the problem varies depending on the curl version. In the current curl versions, the vulnerable code can be found in the voutf() function, and the function does not enforce any limit on the message length. This is important, as the calculation goes off by one for every output line printed (if the line only contains text that was split in the middle of the word rather than at white space).
In curl versions prior to 7.58.0, the message is first printed into a 256 bytes long stack-based buffer. This limits the number of times a long word can be wrapped to 3, and that also limits the size of the overflow.
In curl versions prior to 7.45.0, the vulnerable code can be found in the warnf() functions. In the commit linked below, the code was moved to voutf(), and warnf() was modified to call voutf(). The new function notef() was added as another caller of voutf().
This is the version of the code as used in the curl packages in Red Hat Enterprise Linux 7 and 6.
In curl versions prior to 1.16.3, there is a bug in the wrapping code that causes curl to print long words in a way that only one character is printed on each line. This increases the size of the over-read.
This is the version of the code as used in the curl packages in Red Hat Enterprise Linux 5.