Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <85s1o0qq-3n86-1s3q-s29p-54n951o27q2n@unkk.fr>
Date: Wed, 13 Sep 2023 08:31:25 +0200 (CEST)
From: Daniel Stenberg <daniel@...x.se>
To: curl security announcements -- curl users <curl-users@...ts.haxx.se>, 
    curl-announce@...ts.haxx.se, libcurl hacking <curl-library@...ts.haxx.se>, 
    oss-security@...ts.openwall.com
Subject: CVE-2023-38039 curl: HTTP headers eat all memory

HTTP headers eat all memory
===========================

Project curl Security Advisory, September 13 2023 -
[Permalink](https://curl.se/docs/CVE-2023-38039.html)

VULNERABILITY
-------------

When curl retrieves an HTTP response, it stores the incoming headers so that
they can be accessed later via the libcurl headers API.

However, curl did not have a limit in how many or how large headers it would
accept in a response, allowing a malicious server to stream an endless series
of headers and eventually cause curl to run out of heap memory.

INFO
----

Since libcurl allocates memory on the heap to store each header individually,
the exact number of headers required for this to become a problem will vary
greatly from case to case. As the headers typically need to be transfered over
a network to curl, the available bandwidth will also affect how likely or how
fast this problem can be triggered.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2023-38039 to this issue.

CWE-770: Allocation of Resources Without Limits or Throttling

Severity: Medium

AFFECTED VERSIONS
-----------------

- Affected versions: libcurl 7.84.0 to and including 8.2.1
- Not affected versions: libcurl < 7.84.0 and >= 8.3.0
- Introduced-in: https://github.com/curl/curl/commit/4d94fac9f0d1dd

libcurl is used by many applications, but not always advertised as such!

This flaw existed already in 7.83.0 source code but in that release the
feature was still marked **EXPERIMENTAL** and was not enabled in normal
builds. The label was removed in 7.84.0 why we consider that as the first
vulnerable version.

SOLUTION
------------

Starting in curl 8.3.0, curl returns an error if the total size of the headers
in a single HTTP response exceeds 300 KB.

- Fixed-in: https://github.com/curl/curl/commit/3ee79c1674fd6f9

RECOMMENDATIONS
--------------

  A - Upgrade curl to version 8.3.0

  B - Apply the patch to your local version

  C - Monitor response headers and return error if too much

TIMELINE
--------

This issue was reported to the curl project on July 17, 2023. We contacted
distros@...nwall on September 6, 2023.

This report arrived before the 8.2.0 and 8.2.1 releases shipped (on July 19
and July 26), but we did not manage to work it through and fix it in time for
those releases.

libcurl 8.3.0 was released on September 13 2023, coordinated with the
publication of this advisory.

CREDITS
-------

- Reported-by: selmelc on hackerone
- Patched-by: Daniel Stenberg

Thanks a lot!

-- 

  / daniel.haxx.se
  | Commercial curl support up to 24x7 is available!
  | Private help, bug fixes, support, ports, new features
  | https://curl.se/support.html

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.