CURL-CVE-2009-2417

See a problem?

Source

https://curl.se/docs/CVE-2009-2417.html

Import Source

https://curl.se/docs/CURL-CVE-2009-2417.json

JSON Data

https://api.osv.dev/v1/vulns/CURL-CVE-2009-2417

Aliases

CVE-2009-2417

Published

2009-08-12T08:00:00Z

Modified

2024-01-16T03:42:41.998620Z

Summary

embedded zero in cert name

Details

SSL and TLS Server certificates contain one or more fields with server name or otherwise matching patterns. These strings are stored as content and length within the certificate, and thus there is no particular terminating character.

curl's OpenSSL interfacing code did faulty assumptions about those names and patterns being zero terminated, allowing itself to be fooled in case a certificate would get a zero byte embedded into one of the name fields. To illustrate, a name that would show this vulnerability could look like:

"example.com\0.haxx.se"

This cert is thus made for "haxx.se" but curl would erroneously verify it with no complaints for "example.com".

According to a recently published presentation, this kind of zero embedding has been proven to be possible with at least one CA.

References

Credits

- Scott Cantor - FINDER
- Daniel Stenberg - REMEDIATION_DEVELOPER
- Peter Sylvester - OTHER
- Michal Marek - OTHER
- Kamil Dudka - OTHER

Affected packages

Git /

Affected ranges

Type: SEMVER
Events: Introduced

7.4

Fixed

7.19.6

Affected versions

7.*

7.10

7.10.1

7.10.2

7.10.3

7.10.4

7.10.5

7.10.6

7.10.7

7.10.8

7.11.0

7.11.1

7.11.2

7.12.0

7.12.1

7.12.2

7.12.3

7.13.0

7.13.1

7.13.2

7.14.0

7.14.1

7.15.0

7.15.1

7.15.2

7.15.3

7.15.4

7.15.5

7.16.0

7.16.1

7.16.2

7.16.3

7.16.4

7.17.0

7.17.1

7.18.0

7.18.1

7.18.2

7.19.0

7.19.1

7.19.2

7.19.3

7.19.4

7.19.5

7.4

7.4.1

7.4.2

7.5

7.5.1

7.5.2

7.6

7.6.1

7.7

7.7.1

7.7.2

7.7.3

7.8

7.8.1

7.9

7.9.1

7.9.2

7.9.3

7.9.4

7.9.5

7.9.6

7.9.7

7.9.8