CURL-CVE-2009-2417

Source
https://curl.se/docs/CVE-2009-2417.html
Import Source
https://curl.se/docs/CURL-CVE-2009-2417.json
JSON Data
https://api.osv.dev/v1/vulns/CURL-CVE-2009-2417
Aliases
Published
2009-08-12T08:00:00Z
Modified
2024-01-16T03:42:41.998620Z
Summary
embedded zero in cert name
Details

SSL and TLS Server certificates contain one or more fields with server name or otherwise matching patterns. These strings are stored as content and length within the certificate, and thus there is no particular terminating character.

curl's OpenSSL interfacing code did faulty assumptions about those names and patterns being zero terminated, allowing itself to be fooled in case a certificate would get a zero byte embedded into one of the name fields. To illustrate, a name that would show this vulnerability could look like:

"example.com\0.haxx.se"

This cert is thus made for "haxx.se" but curl would erroneously verify it with no complaints for "example.com".

According to a recently published presentation, this kind of zero embedding has been proven to be possible with at least one CA.

References
Credits
    • Scott Cantor - FINDER
    • Daniel Stenberg - REMEDIATION_DEVELOPER
    • Peter Sylvester - OTHER
    • Michal Marek - OTHER
    • Kamil Dudka - OTHER

Affected packages

Git /

Affected ranges

Type
SEMVER
Events
Introduced
7.4
Fixed
7.19.6

Affected versions

7.*

7.10
7.10.1
7.10.2
7.10.3
7.10.4
7.10.5
7.10.6
7.10.7
7.10.8
7.11.0
7.11.1
7.11.2
7.12.0
7.12.1
7.12.2
7.12.3
7.13.0
7.13.1
7.13.2
7.14.0
7.14.1
7.15.0
7.15.1
7.15.2
7.15.3
7.15.4
7.15.5
7.16.0
7.16.1
7.16.2
7.16.3
7.16.4
7.17.0
7.17.1
7.18.0
7.18.1
7.18.2
7.19.0
7.19.1
7.19.2
7.19.3
7.19.4
7.19.5
7.4
7.4.1
7.4.2
7.5
7.5.1
7.5.2
7.6
7.6.1
7.7
7.7.1
7.7.2
7.7.3
7.8
7.8.1
7.9
7.9.1
7.9.2
7.9.3
7.9.4
7.9.5
7.9.6
7.9.7
7.9.8