CURL-CVE-2024-6874

See a problem?
Please try reporting it to the source first.

Source

https://curl.se/docs/CVE-2024-6874.html

Import Source

https://curl.se/docs/CURL-CVE-2024-6874.json

JSON Data

https://api.test.osv.dev/v1/vulns/CURL-CVE-2024-6874

Aliases

CVE-2024-6874

Published

2024-07-24T08:00:00Z

Modified

2024-08-07T14:48:26Z

Summary

macidn punycode buffer overread

Details

libcurl's URL API function curlurlget() offers punycode conversions, to and from IDN. Asking to convert a name that is exactly 256 bytes, libcurl ends up reading outside of a stack based buffer when built to use the macidn IDN backend. The conversion function then fills up the provided buffer exactly - but does not null terminate the string.

This flaw can lead to stack contents accidentally getting returned as part of the converted string.

Database specific

{
    "issue": "https://hackerone.com/reports/2604391",
    "package": "curl",
    "URL": "https://curl.se/docs/CVE-2024-6874.json",
    "award": {
        "currency": "USD",
        "amount": "540"
    },
    "severity": "Low",
    "CWE": {
        "desc": "Buffer Over-read",
        "id": "CWE-126"
    },
    "last_affected": "8.8.0",
    "affects": "lib",
    "www": "https://curl.se/docs/CVE-2024-6874.html"
}

References

Credits

- z2_ - FINDER
- z2_ - REMEDIATION_DEVELOPER

Affected packages

Git / github.com/curl/curl.git

Affected ranges

Type: SEMVER
Events: Introduced

8.8.0

Fixed

8.9.0

Type: GIT
Repo: https://github.com/curl/curl.git
Events: Introduced

add22feeef07858307be5722e1869e082554290e

Fixed

686d54baf1df6e0775898f484d1670742898b3b2

Affected versions

8.*

8.8.0

Database specific

{
    "vanir_signatures": [
        {
            "target": {
                "file": "lib/idn.c",
                "function": "mac_idn_to_ascii"
            },
            "digest": {
                "function_hash": "216640968448479456553636563154165417207",
                "length": 575.0
            },
            "signature_type": "Function",
            "signature_version": "v1",
            "deprecated": false,
            "id": "CURL-CVE-2024-6874-6c58f535",
            "source": "https://github.com/curl/curl.git/commit/686d54baf1df6e0775898f484d1670742898b3b2"
        },
        {
            "target": {
                "file": "lib/idn.c",
                "function": "mac_ascii_to_idn"
            },
            "digest": {
                "function_hash": "172764687688659853305595737277601779273",
                "length": 577.0
            },
            "signature_type": "Function",
            "signature_version": "v1",
            "deprecated": false,
            "id": "CURL-CVE-2024-6874-dfa7777d",
            "source": "https://github.com/curl/curl.git/commit/686d54baf1df6e0775898f484d1670742898b3b2"
        },
        {
            "target": {
                "file": "lib/idn.c"
            },
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "98002545464681941635236377462148785051",
                    "232850703124931391163673421933204740841",
                    "112771001505927567012460810966684188462",
                    "248033720349314409798132084819429479132",
                    "113651119734714053058587916180594786732",
                    "232306955307703962923429757053563269400",
                    "101837938303599049161117334065762530211",
                    "248033720349314409798132084819429479132"
                ]
            },
            "signature_type": "Line",
            "signature_version": "v1",
            "deprecated": false,
            "id": "CURL-CVE-2024-6874-e762d376",
            "source": "https://github.com/curl/curl.git/commit/686d54baf1df6e0775898f484d1670742898b3b2"
        }
    ]
}