curl / Docs / Security / Advisory

Security Advisory December 7th 2005

                  libcurl URL Buffer Overflow Vulnerability
Project curl Security Advisory, December 7th 2005
libcurl's URL parser function can overflow a malloced buffer in two ways, if
given a too long URL.
These overflows happen if you
 1 - pass in a URL with no protocol (like "http://") prefix, using no slash
     and the string is 256 bytes or longer. This leads to a single zero byte
     overflow of the malloced buffer.
 2 - pass in a URL with only a question mark as separator (no slash) between
     the host and the query part of the URL. This leads to a single zero byte
     overflow of the malloced buffer.
Both overflows can be made with the same input string, leading to two single
zero byte overwrites.
The affected flaw cannot be triggered by a redirect, but the long URL must be
passed in "directly" to libcurl. It makes this a "local" problem. Of course,
lots of programs may still pass in user-provided URLs to libcurl without doing
much syntax checking of their own, allowing a user to exploit this
There is no known exploit at the time of this writing.
The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2005-4077 to this issue.
Affected versions: curl and libcurl 7.11.2 to and including 7.15.0
Not affected versions: curl and libcurl 7.11.1 and earlier, 7.15.1 and later
Also note that (lib)curl is used by many applications, and not always
advertised as such.
We suggest you take one of the following actions immediately:
 I - Upgrade to curl and libcurl 7.15.1
 II - Apply the patch to your
      libcurl version and install this
 III - Make sure the URLs you pass to libcurl always have a protocol part
We were notified by Stefan Esser on November 29th, 2005.
Discussions were held and the patch to fix this flaw was made swiftly.
[Dec 12 2005] Additional info on what's required for 7.14.0 and earlier was
provided by Wilfried Weissmann in a Redhat bug report. The provided patch
above was updated and adjusted to the newly discovered facts.
Reported to us by Stefan Esser. Thanks a lot!