CURL-CVE-2015-3144

See a problem?
Please try reporting it to the source first.
Source
https://curl.se/docs/CVE-2015-3144.html
Import Source
https://curl.se/docs/CURL-CVE-2015-3144.json
JSON Data
https://api.test.osv.dev/v1/vulns/CURL-CVE-2015-3144
Aliases
Published
2015-04-22T08:00:00Z
Modified
2024-06-07T13:53:51Z
Summary
hostname out of boundary memory access
Details

There is a private function in libcurl called fix_hostname() that removes a trailing dot from the hostname if there is one. The function is called after the hostname has been extracted from the URL libcurl has been told to act on.

If a URL is given with a zero-length hostname, like in "http://:80" or just ":80", fix_hostname() indexes the hostname pointer with a -1 offset (as it blindly assumes a non-zero length) and both read and assign that address.

At best, this gets unnoticed but can also lead to a crash or worse. We have not researched further what kind of malicious actions that potentially this could be used for.

Database specific 
{
    "CWE": {
        "desc": "Buffer Underwrite ('Buffer Underflow')",
        "id": "CWE-124"
    },
    "package": "curl",
    "last_affected": "7.41.0",
    "severity": "Medium",
    "affects": "both",
    "www": "https://curl.se/docs/CVE-2015-3144.html",
    "URL": "https://curl.se/docs/CVE-2015-3144.json"
}
References
Credits
    • Hanno Böck - FINDER
    • Daniel Stenberg - REMEDIATION_DEVELOPER

Affected packages

Git / github.com/curl/curl.git

Affected ranges

Type
SEMVER
Events
Introduced
7.37.0
Fixed
7.42.0
Type
GIT
Repo
https://github.com/curl/curl.git
Events
Introduced
5de8d84098db1bd24e7fffefbe14e81f2a05995a
Fixed
0583e87ada7a3cfb10904ae4ab61b339582c5bd3

Affected versions

7.*

7.37.0
7.37.1
7.38.0
7.39.0
7.40.0
7.41.0

Database specific

vanir_signatures

[
    {
        "digest": {
            "length": 1215.0,
            "function_hash": "302857014196003819835645927753951719924"
        },
        "target": {
            "file": "lib/url.c",
            "function": "fix_hostname"
        },
        "source": "https://github.com/curl/curl.git/commit/0583e87ada7a3cfb10904ae4ab61b339582c5bd3",
        "id": "CURL-CVE-2015-3144-285a442b",
        "signature_version": "v1",
        "deprecated": false,
        "signature_type": "Function"
    },
    {
        "digest": {
            "line_hashes": [
                "270878377318186174494843635834225150969",
                "46407169664050383391727544247789172485",
                "51621819899399844632954616211039468642",
                "118193069924792380754011537934000253690"
            ],
            "threshold": 0.9
        },
        "target": {
            "file": "lib/url.c"
        },
        "source": "https://github.com/curl/curl.git/commit/0583e87ada7a3cfb10904ae4ab61b339582c5bd3",
        "id": "CURL-CVE-2015-3144-dd778062",
        "signature_version": "v1",
        "deprecated": false,
        "signature_type": "Line"
    }
]