CURL-CVE-2015-3144

See a problem?
Please try reporting it to the source first.

Source

https://curl.se/docs/CVE-2015-3144.html

Import Source

https://curl.se/docs/CURL-CVE-2015-3144.json

JSON Data

https://api.test.osv.dev/v1/vulns/CURL-CVE-2015-3144

Aliases

CVE-2015-3144

Published

2015-04-22T08:00:00Z

Modified

2024-06-07T13:53:51Z

Summary

hostname out of boundary memory access

Details

There is a private function in libcurl called fix_hostname() that removes a trailing dot from the hostname if there is one. The function is called after the hostname has been extracted from the URL libcurl has been told to act on.

If a URL is given with a zero-length hostname, like in "http://:80" or just ":80", fix_hostname() indexes the hostname pointer with a -1 offset (as it blindly assumes a non-zero length) and both read and assign that address.

At best, this gets unnoticed but can also lead to a crash or worse. We have not researched further what kind of malicious actions that potentially this could be used for.

Database specific

{
    "last_affected": "7.41.0",
    "CWE": {
        "id": "CWE-124",
        "desc": "Buffer Underwrite ('Buffer Underflow')"
    },
    "severity": "Medium",
    "www": "https://curl.se/docs/CVE-2015-3144.html",
    "affects": "both",
    "URL": "https://curl.se/docs/CVE-2015-3144.json",
    "package": "curl"
}

References

Credits

- Hanno Böck - FINDER
- Daniel Stenberg - REMEDIATION_DEVELOPER

Affected packages

Git / github.com/curl/curl.git

Affected ranges

Type: SEMVER
Events: Introduced

7.37.0

Fixed

7.42.0

Type: GIT
Repo: https://github.com/curl/curl.git
Events: Introduced

5de8d84098db1bd24e7fffefbe14e81f2a05995a

Fixed

0583e87ada7a3cfb10904ae4ab61b339582c5bd3

Affected versions

7.*

7.37.0

7.37.1

7.38.0

7.39.0

7.40.0

7.41.0

Database specific

{
    "vanir_signatures": [
        {
            "deprecated": false,
            "id": "CURL-CVE-2015-3144-285a442b",
            "signature_version": "v1",
            "digest": {
                "length": 1215.0,
                "function_hash": "302857014196003819835645927753951719924"
            },
            "signature_type": "Function",
            "target": {
                "function": "fix_hostname",
                "file": "lib/url.c"
            },
            "source": "https://github.com/curl/curl.git/commit/0583e87ada7a3cfb10904ae4ab61b339582c5bd3"
        },
        {
            "deprecated": false,
            "id": "CURL-CVE-2015-3144-dd778062",
            "signature_version": "v1",
            "digest": {
                "line_hashes": [
                    "270878377318186174494843635834225150969",
                    "46407169664050383391727544247789172485",
                    "51621819899399844632954616211039468642",
                    "118193069924792380754011537934000253690"
                ],
                "threshold": 0.9
            },
            "signature_type": "Line",
            "target": {
                "file": "lib/url.c"
            },
            "source": "https://github.com/curl/curl.git/commit/0583e87ada7a3cfb10904ae4ab61b339582c5bd3"
        }
    ]
}