[Pardus-security] [PLSA 2010-43] Curl: Excessive Data Length in Callback Function
Eren Turkay
eren at pardus.org.tr
Mon Mar 29 22:10:45 EEST 2010
------------------------------------------------------------------------
Pardus Linux Security Advisory 2010-43 security at pardus.org.tr
------------------------------------------------------------------------
Date: 2010-03-29
Severity: 3
Type: Local
------------------------------------------------------------------------
Summary
=======
A security issue has been fixed in cURL / libcURL, which can potentially
be exploited by malicious people to cause a DoS (Denial of Service) or
compromise an application using the library
Description
===========
When downloading data, libcurl hands it over to the application using a
callback that is registered by the client software. libcurl will then
call that function repeatedly with data until the transfer is complete.
The callback is documented to receive a maximum data size of 16K
(CURL_MAX_WRITE_SIZE).
Using the affected libcurl version to download compressed content over
HTTP, an application can ask libcurl to automatically uncompress data.
When doing so, libcurl can wrongly send data up to 64K in size to the
callback which thus is much larger than the documented maximum size. An
application that blindly trusts libcurl's max limit for a fixed buffer
size or similar is then a possible target for a buffer overflow
vulnerability.
Affected packages:
curl-7.19.6-18-6, all before 2009
curl-7.19.6-18-8, all before 2008
Resolution
==========
There are update(s) for curl-7.19.6-18-6, curl-7.19.6-18-8. You can
update them via Package Manager or with a single command from console:
pisi up curl-7.19.6-18-6 curl-7.19.6-18-8
References
==========
* http://bugs.pardus.org.tr/show_bug.cgi?id=12439
* http://curl.haxx.se/docs/adv_20100209.html
------------------------------------------------------------------------
More information about the Pardus-security
mailing list