Allele Security Alert
ASA-2019-00305
Identifier(s)
ASA-2019-00305, CVE-2019-5435
Title
Integer overflows in curl_url_set()
Vendor(s)
the Curl project
Product(s)
libcurl
Affected version(s)
libcurl 7.62.0 to and including 7.64.1
Fixed version(s)
libcurl 7.65.0
Proof of concept
Unknown
Description
libcurl contains two integer overflows in the curl_url_set() function that if triggered, can lead to a too small buffer allocation and a subsequent heap buffer overflow.
The flaws only exist on 32 bit architectures and require excessive string input lengths.
Technical details
There are two entry points to this issue, on 32 bit architectures.
By asking libcurl to parse a string, passing in a string longer than 2GB to this API: `curl_url_set(uh, CURLUPART_URL, “string”, 0);` triggers the bug.
Asking libcurl to update a URL with a new string, and URL encoded it in the process, by passing in a string longer than 1.33GB to this API: `curl_url_set(uh, CURLUPART_*, “string”, CURLU_URLENCODE);` triggers the bug.
This bug was introduced in August 2018 in [commit fb30ac5a2d](https://github.com/curl/curl/commit/fb30ac5a2d63773c52).
Credits
Wenchao Li
Reference(s)
Integer overflows in curl_url_set()
https://curl.haxx.se/docs/CVE-2019-5435.html
CURL_MAX_INPUT_LENGTH: largest acceptable string input size
https://github.com/curl/curl/commit/5fc28510a4664f4
URL-API
https://github.com/curl/curl/commit/fb30ac5a2d63773c52
[SECURITY ADVISORY] curl: Integer overflows in curl_url_set
https://seclists.org/oss-sec/2019/q2/123
CVE-2019-5435
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5435
CVE-2019-5435
https://nvd.nist.gov/vuln/detail/CVE-2019-5435
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: September 14, 2019