CURL-CVE-2015-3145

Source
https://curl.se/docs/CVE-2015-3145.html
Import Source
https://curl.se/docs/CURL-CVE-2015-3145.json
JSON Data
https://api.osv.dev/v1/vulns/CURL-CVE-2015-3145
Aliases
Published
2015-04-22T08:00:00Z
Modified
2024-06-07T13:53:51Z
Summary
cookie parser out of boundary memory access
Details

libcurl supports HTTP "cookies" as documented in RFC 6265. Together with each individual cookie there are several different properties, but for this vulnerability we focus on the associated "path" element. It tells information about for which path on a given host the cookie is valid.

The internal libcurl function called sanitize_cookie_path() that cleans up the path element as given to it from a remote site or when read from a file, did not properly validate the input. If given a path that consisted of a single double-quote, libcurl would index a newly allocated memory area with index -1 and assign a zero to it, thus destroying heap memory it was not supposed to.

At best, this gets unnoticed but can also lead to a crash or worse. We have not researched further what kind of malicious actions that potentially this could be used for.

Applications have to explicitly enable cookie parsing in libcurl for this problem to trigger, and if not enabled libcurl does not hit this problem.

Database specific
{
    "CWE": {
        "id": "CWE-124",
        "desc": "Buffer Underwrite ('Buffer Underflow')"
    },
    "package": "curl",
    "URL": "https://curl.se/docs/CVE-2015-3145.json",
    "severity": "Medium",
    "www": "https://curl.se/docs/CVE-2015-3145.html",
    "last_affected": "7.41.0"
}
References
Credits
    • Hanno Böck - FINDER
    • Daniel Stenberg - REMEDIATION_DEVELOPER

Affected packages

Git / github.com/curl/curl.git

Affected ranges

Type
SEMVER
Events
Introduced
7.31.0
Fixed
7.42.0
Type
GIT
Repo
https://github.com/curl/curl.git
Events

Affected versions

7.*

7.31.0
7.32.0
7.33.0
7.34.0
7.35.0
7.36.0
7.37.0
7.37.1
7.38.0
7.39.0
7.40.0
7.41.0