FreeBSD : cURL library -- heap corruption in curl_easy_unescape (01cf67b3-dc3b-11e2-a6cd-c48508086173)

medium Nessus Plugin ID 66968

Synopsis

The remote FreeBSD host is missing a security-related update.

Description

cURL developers report :

libcurl is vulnerable to a case of bad checking of the input data which may lead to heap corruption.

The function curl_easy_unescape() decodes URL-encoded strings to raw binary data. URL-encoded octets are represented with %HH combinations where HH is a two-digit hexadecimal number. The decoded string is written to an allocated memory area that the function returns to the caller.

The function takes a source string and a length parameter, and if the length provided is 0 the function will instead use strlen() to figure out how much data to parse.

The '%HH' parser wrongly only considered the case where a zero byte would terminate the input. If a length-limited buffer was passed in which ended with a '%' character which was followed by two hexadecimal digits outside of the buffer libcurl was allowed to parse alas without a terminating zero, libcurl would still parse that sequence as well.
The counter for remaining data to handle would then be decreased too much and wrap to become a very large integer and the copying would go on too long and the destination buffer that is allocated on the heap would get overwritten.

We consider it unlikely that programs allow user-provided strings unfiltered into this function. Also, only the not zero-terminated input string use case is affected by this flaw. Exploiting this flaw for gain is probably possible for specific circumstances but we consider the general risk for this to be low.

The curl command line tool is not affected by this problem as it doesn't use this function.

There are no known exploits available at this time.

Solution

Update the affected package.

See Also

https://curl.haxx.se/docs/CVE-2013-2174.html

http://www.nessus.org/u?b98d322a

Plugin Details

Severity: Medium

ID: 66968

File Name: freebsd_pkg_01cf67b3dc3b11e2a6cdc48508086173.nasl

Version: 1.7

Type: local

Published: 6/24/2013

Updated: 1/6/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:curl, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Patch Publication Date: 6/23/2013

Vulnerability Publication Date: 6/22/2013

Reference Information

CVE: CVE-2013-2174