Alpine: libcurl, multiple curl packages: security update to 8.9.0-r0

medium Tenable Cloud Security Plugin ID 423839

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- libcurl's ASN1 parser has this utf8asn1str() function used for parsing an ASN.1 UTF-8 string. Itcan detect
an invalid field and return error. Unfortunately, when doing so it also invokes `free()` on a 4 byte
localstack buffer. Most modern malloc implementations detect this error and immediately abort. Some
however accept the input pointer and add that memory to its list of available chunks. This leads to the
overwriting of nearby stack memory. The content of the overwrite is decided by the `free()`
implementation; likely to be memory pointers and a set of flags. The most likely outcome of exploting this
flaw is a crash, although it cannot be ruled out that more serious results can be had in special
circumstances. (CVE-2024-6197)

- libcurl's URL API function [curl_url_get()](https://curl.se/libcurl/c/curl_url_get.html) offers punycode
conversions, to and from IDN. Asking to convert a name that is exactly 256 bytes, libcurl ends up reading
outside of a stack based buffer when built to use the *macidn* IDN backend. The conversion function then
fills up the provided buffer exactly - but does not null terminate the string. This flaw can lead to stack
contents accidently getting returned as part of the converted string. (CVE-2024-6874)

See Also

https://security.alpinelinux.org/vuln/CVE-2024-6197

https://security.alpinelinux.org/vuln/CVE-2024-6874

Plugin Details

Severity: Medium

ID: 423839

Version: Revision 1.8

Type: Local

Published: 4/4/2025

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 5

Percentile: 94.66

CVSS v2

Risk Factor: Medium

Base Score: 4

Temporal Score: 3.1

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N

CVSS Score Source: CVE-2024-6874

CVSS v3

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.9

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 7/24/2024

Reference Information

CVE: CVE-2024-6197, CVE-2024-6874

IAVA: 2024-A-0446-S