CURL-CVE-2024-6197

See a problem?
Source
https://curl.se/docs/CVE-2024-6197.html
Import Source
https://curl.se/docs/CURL-CVE-2024-6197.json
JSON Data
https://api.osv.dev/v1/vulns/CURL-CVE-2024-6197
Aliases
Published
2024-07-24T08:00:00Z
Modified
2024-08-07T23:17:54Z
Summary
freeing stack buffer in utf8asn1str
Details

libcurl's ASN1 parser has this utf8asn1str() function used for parsing an ASN.1 UTF-8 string. It can detect an invalid field and return error. Unfortunately, when doing so it also invokes free() on a 4 byte local stack buffer.

Most modern malloc implementations detect this error and immediately abort. Some however accept the input pointer and add that memory to its list of available chunks. This leads to the overwriting of nearby stack memory. The content of the overwrite is decided by the free() implementation; likely to be memory pointers and a set of flags.

The most likely outcome of exploiting this flaw is a crash, although it cannot be ruled out that more serious results can be had in special circumstances.

References
Credits
    • z2_ - FINDER
    • z2_ - REMEDIATION_DEVELOPER

Affected packages

Git / github.com/curl/curl.git

Affected ranges

Type
SEMVER
Events
Introduced
8.6.0
Fixed
8.9.0
Type
GIT
Repo
https://github.com/curl/curl.git
Events
Introduced
623c3a8fa0bdb2751f14b3741760d81910b7ec64
Fixed
3a537a4db9e65e545ec45b1b5d5575ee09a2569d

Affected versions

8.*

8.6.0
8.7.0
8.7.1
8.8.0