CURL-CVE-2024-6197

Source
https://curl.se/docs/CVE-2024-6197.html
Import Source
https://curl.se/docs/CURL-CVE-2024-6197.json
JSON Data
https://api.test.osv.dev/v1/vulns/CURL-CVE-2024-6197
Aliases
Published
2024-07-24T08:00:00Z
Modified
2024-08-07T23:17:54Z
Summary
freeing stack buffer in utf8asn1str
Details

libcurl's ASN1 parser has this utf8asn1str() function used for parsing an ASN.1 UTF-8 string. It can detect an invalid field and return error. Unfortunately, when doing so it also invokes free() on a 4 byte local stack buffer.

Most modern malloc implementations detect this error and immediately abort. Some however accept the input pointer and add that memory to its list of available chunks. This leads to the overwriting of nearby stack memory. The content of the overwrite is decided by the free() implementation; likely to be memory pointers and a set of flags.

The most likely outcome of exploiting this flaw is a crash, although it cannot be ruled out that more serious results can be had in special circumstances.

Database specific
{
    "CWE": {
        "id": "CWE-590",
        "desc": "Free of Memory not on the Heap"
    },
    "award": {
        "amount": "2540",
        "currency": "USD"
    },
    "URL": "https://curl.se/docs/CVE-2024-6197.json",
    "package": "curl",
    "severity": "Medium",
    "issue": "https://hackerone.com/reports/2559516",
    "www": "https://curl.se/docs/CVE-2024-6197.html",
    "last_affected": "8.8.0"
}
References
Credits
    • z2_ - FINDER
    • z2_ - REMEDIATION_DEVELOPER

Affected packages

Git / github.com/curl/curl.git

Affected ranges

Type
SEMVER
Events
Introduced
8.6.0
Fixed
8.9.0
Type
GIT
Repo
https://github.com/curl/curl.git
Events

Affected versions

8.*

8.6.0
8.7.0
8.7.1
8.8.0