curl / Docs / Security / Advisory

Security Advisory February 9 2010

                    libcurl data callback excessive length
Project curl Security Advisory, February 9th 2010
  When downloading data, libcurl hands it over to the application using a
  callback that is registered by the client software. libcurl will then call
  that function repeatedly with data until the transfer is complete. The
  callback is documented to receive a maximum data size of 16K
  Using the affected libcurl version to download compressed content over HTTP,
  an application can ask libcurl to automatically uncompress data. When doing
  so, libcurl can wrongly send data up to 64K in size to the callback which
  thus is much larger than the documented maximum size. An application that
  blindly trusts libcurl's max limit for a fixed buffer size or similar is
  then a possible target for a buffer overflow vulnerability.
  This error is only present in zlib-enabled builds of libcurl and only if
  automatic decompression has been explicitly enabled by the application - it
  is disabled by default.
  There is no known exploit for this problem and we have not found any libcurl
  client software that is vulnerable to this flaw - but we acknowledge that
  there may still be vulnerable software in existence.
  The Common Vulnerabilities and Exposures (CVE) project has assigned the name
  CVE-2010-0734 to this issue.
  Affected versions: curl and libcurl 7.10.5 to and including 7.19.7
  Not affected versions: curl and libcurl <= 7.10.4 and >= 7.20.0
  If you build curl or libcurl to not use zlib or make your app not tell
  libcurl to do this magic, you are not affected.
  Also note that (lib)curl is used by many applications, and not always
  advertised as such.
  libcurl 7.20.0 makes sure that the length argument in the callback never
  exceeds the documented max length.
  We suggest you take one of the following actions immediately, in order of
  A - Upgrade to curl and libcurl 7.20.0
  B - Apply this patch and rebuild
  C - Disable automatic content encoding decompression in your application
  D - Rebuild curl without zlib support
  E - change your code to use 4*CURL_MAX_WRITE_SIZE for buffer sizes
  We were notified by Wesley Miaw on January 9th, 2010.
  We discussed solutions and a first patch was written and tested on January
  Vendor-sec was informed on January 10th, 2010.
  curl 7.20.0 was released on February 9th 2010, just before this flaw was
  publicly disclosed.
  Reported to us by Wesley Miaw. Thanks a lot!
  Daniel Stenberg wrote the primary patch and this advisory