CURL-CVE-2015-3144

Source
https://curl.se/docs/CVE-2015-3144.html
Import Source
https://curl.se/docs/CURL-CVE-2015-3144.json
JSON Data
https://api.osv.dev/v1/vulns/CURL-CVE-2015-3144
Aliases
Published
2015-04-22T08:00:00Z
Modified
2024-06-07T13:53:51Z
Summary
hostname out of boundary memory access
Details

There is a private function in libcurl called fix_hostname() that removes a trailing dot from the hostname if there is one. The function is called after the hostname has been extracted from the URL libcurl has been told to act on.

If a URL is given with a zero-length hostname, like in "http://:80" or just ":80", fix_hostname() indexes the hostname pointer with a -1 offset (as it blindly assumes a non-zero length) and both read and assign that address.

At best, this gets unnoticed but can also lead to a crash or worse. We have not researched further what kind of malicious actions that potentially this could be used for.

Database specific
{
    "CWE": {
        "id": "CWE-124",
        "desc": "Buffer Underwrite ('Buffer Underflow')"
    },
    "package": "curl",
    "URL": "https://curl.se/docs/CVE-2015-3144.json",
    "severity": "Medium",
    "www": "https://curl.se/docs/CVE-2015-3144.html",
    "last_affected": "7.41.0"
}
References
Credits
    • Hanno Böck - FINDER
    • Daniel Stenberg - REMEDIATION_DEVELOPER

Affected packages

Git / github.com/curl/curl.git

Affected ranges

Type
SEMVER
Events
Introduced
7.37.0
Fixed
7.42.0
Type
GIT
Repo
https://github.com/curl/curl.git
Events

Affected versions

7.*

7.37.0
7.37.1
7.38.0
7.39.0
7.40.0
7.41.0