Vigil@nce - curl: buffer overflow of curl_easy_unescape
June 2013 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can generate a buffer overflow in curl_easy_unescape
of curl, in order to trigger a denial of service, and possibly to
execute code.
Impacted products: cURL, Debian, RHEL, Slackware
Severity: 1/4
Creation date: 24/06/2013
DESCRIPTION OF THE VULNERABILITY
The tool cURL allows to retrieve file designated by an URL with
many protocols.
The routine curl_easy_unescape() de libcurl, which is used by
curl, decodes URL escape sequences. It allows the caller to
specify the length of the buffer to be decoded, instead of looking
for the terminating 0, as usual for C strings. However, when the
buffer end is located after the % symbol of an hexadecimal
sequence, the buffer end is not recognized, which make the
function to write the decoding result after the actual buffer end.
An attacker can therefore generate a buffer overflow in
curl_easy_unescape of curl, in order to trigger a denial of
service, and possibly to execute code.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/curl-buffer-overflow-of-curl-easy-unescape-13000