CURL-CVE-2015-3144

See a problem?
Source
https://curl.se/docs/CVE-2015-3144.html
Import Source
https://curl.se/docs/CURL-CVE-2015-3144.json
JSON Data
https://api.osv.dev/v1/vulns/CURL-CVE-2015-3144
Aliases
Published
2015-04-22T08:00:00Z
Modified
2024-06-07T13:53:51Z
Summary
hostname out of boundary memory access
Details

There is a private function in libcurl called fix_hostname() that removes a trailing dot from the hostname if there is one. The function is called after the hostname has been extracted from the URL libcurl has been told to act on.

If a URL is given with a zero-length hostname, like in "http://:80" or just ":80", fix_hostname() indexes the hostname pointer with a -1 offset (as it blindly assumes a non-zero length) and both read and assign that address.

At best, this gets unnoticed but can also lead to a crash or worse. We have not researched further what kind of malicious actions that potentially this could be used for.

References
Credits
    • Hanno Böck - FINDER
    • Daniel Stenberg - REMEDIATION_DEVELOPER

Affected packages

Git / github.com/curl/curl.git

Affected ranges

Type
SEMVER
Events
Introduced
7.37.0
Fixed
7.42.0
Type
GIT
Repo
https://github.com/curl/curl.git
Events
Introduced
5de8d84098db1bd24e7fffefbe14e81f2a05995a
Fixed
0583e87ada7a3cfb10904ae4ab61b339582c5bd3

Affected versions

7.*

7.37.0
7.37.1
7.38.0
7.39.0
7.40.0
7.41.0