CVE-2005-4077: Multiple off-by-one errors in the cURL library (libcurl) 7.11.2 through 7.15.0 allow local users to trigger a buffer overflow and cause a denial of service or…

CVE-2005-4077 [MEDIUM] GHSA-c4xg-24hh-cq78: Multiple off-by-one errors in the cURL library (libcurl) 7 Multiple off-by-one errors in the cURL library (libcurl) 7.11.2 through 7.15.0 allow local users to trigger a buffer overflow and cause a denial of service or bypass PHP security restrictions via certain URLs that (1) are malformed in a way that prevents a terminating null byte from being added to either a hostname or path buffer, or (2) contain a "?" separator in the hostname portion, which causes a "/" to be prepended to the resulting string.

CVE-2005-4077 [MEDIUM] CVE-2005-4077: Multiple off-by-one errors in the cURL library (libcurl) 7 Multiple off-by-one errors in the cURL library (libcurl) 7.11.2 through 7.15.0 allow local users to trigger a buffer overflow and cause a denial of service or bypass PHP security restrictions via certain URLs that (1) are malformed in a way that prevents a terminating null byte from being added to either a hostname or path buffer, or (2) contain a "?" separator in the hostname portion, which causes a "/" to be prepended to the resulting string.

CVE-2005-4077 curl library vulnerability Title: curl library vulnerability Summary: curl library vulnerability Stefan Esser discovered several buffer overflows in the handling of URLs. By attempting to load an URL with a specially crafted invalid hostname, a local attacker could exploit this to execute arbitrary code with the privileges of the application that uses the cURL library. It is not possible to trick cURL into loading a malicious URL with an HTTP redirect, so this vulnerability was usually not exploitable remotely. However, it could be exploited locally to e. g. circumvent PHP security restrictions. Instructions: In general, a standard system update will make all the necessary changes.

CVE-2005-4077 [MEDIUM] security flaw security flaw Multiple off-by-one errors in the cURL library (libcurl) 7.11.2 through 7.15.0 allow local users to trigger a buffer overflow and cause a denial of service or bypass PHP security restrictions via certain URLs that (1) are malformed in a way that prevents a terminating null byte from being added to either a hostname or path buffer, or (2) contain a "?" separator in the hostname portion, which causes a "/" to be prepended to the resulting string.

CVE-2005-4077 [MEDIUM] CVE-2005-4077: curl - Multiple off-by-one errors in the cURL library (libcurl) 7.11.2 through 7.15.0 a... Multiple off-by-one errors in the cURL library (libcurl) 7.11.2 through 7.15.0 allow local users to trigger a buffer overflow and cause a denial of service or bypass PHP security restrictions via certain URLs that (1) are malformed in a way that prevents a terminating null byte from being added to either a hostname or path buffer, or (2) contain a "?" separator in the hostname portion, which causes a "/" to be prepended to the resulting string. Scope: local bookworm: resolved (fixed in 7.15.1-1) bullseye: resolved (fixed in 7.15.1-1) forky: resolved (fixed in 7.15.1-1) sid: resolved (fixed in 7.15.1-1) trixie: resolved (fixed in 7.15.1-1)

CVE-2005-4077 [MEDIUM] CVE-2005-4077 security flaw CVE-2005-4077 security flaw Flaw bug created to hold information about an old flaw we knew something about. For more details see the MITRE CVE description. Discussion: MITRE description: Multiple off-by-one errors in the cURL library (libcurl) 7.11.2 through 7.15.0 allow local users to trigger a buffer overflow and cause a denial of service or bypass PHP security restrictions via certain URLs that (1) are malformed in a way that prevents a terminating null byte from being added to either a hostname or path buffer, or (2) contain a "?" separator in the hostname portion, which causes a "/" to be prepended to the resulting string.

CVE-2005-4077 [MEDIUM] CVE-2005-4077 not fixed by curl-7.13.1-4.fc4 CVE-2005-4077 not fixed by curl-7.13.1-4.fc4 From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20050922 Fedora/1.0.7-1.1.fc4 Firefox/1.0.7 Description of problem: fedora core 4 is still affected by CVE-2005-4077! curl 7.13.1 and earlier need to allocate +3 bytes instead of +2 since the default path is '/' and not "\0" like it is in 7.15.1: lib/url.c:2386 /* Set default path */ strcpy(conn->path, "/"); and then in: lib/url.c:2451 /* move the existing path plus the zero byte */ memmove(conn->path+len+1, conn->path, strlen(conn->path)+1); we need one additional byte for the \0, one for the heading '/' and one for the trailing '/' of the default path. $ rpm -q curl curl-7.13.1-4.fc4 $ curl '?0123456789abcdef0123456789abcdef0123456789abcdef0123456

CVE-2005-4077 [MEDIUM] CVE-2005-4077 SA17907 cURL/libcURL URL Parsing Off-By-One Vulnerability CVE-2005-4077 SA17907 cURL/libcURL URL Parsing Off-By-One Vulnerability +++ This bug was initially created as a clone of Bug #175191 +++ 'Stefan Esser has reported a vulnerability in cURL/libcURL, which has an unknown impact.' 'The vulnerability is caused due to an off-by-one error when parsing an URL that is longer than 256 bytes. By using a specially crafted URL, a two-byte overflow is reportedly possible. This may be exploited to corrupt memory allocation structures. The vulnerability is reportedly exploitable only via a direct request to cURL and not via a redirect.' 'The vulnerability has been reported in version 7.15.0 and prior.' Discussion: An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a reso

CVE-2005-4077 [MEDIUM] CVE-2005-4077 SA17907 cURL/libcURL URL Parsing Off-By-One Vulnerability CVE-2005-4077 SA17907 cURL/libcURL URL Parsing Off-By-One Vulnerability +++ This bug was initially created as a clone of Bug #175191 +++ 'Stefan Esser has reported a vulnerability in cURL/libcURL, which has an unknown impact.' 'The vulnerability is caused due to an off-by-one error when parsing an URL that is longer than 256 bytes. By using a specially crafted URL, a two-byte overflow is reportedly possible. This may be exploited to corrupt memory allocation structures. The vulnerability is reportedly exploitable only via a direct request to cURL and not via a redirect.' 'The vulnerability has been reported in version 7.15.0 and prior.' Discussion: fc3 version (curl-7.12.3-5.fc3) and fc4 version (curl-7.13.1-4.fc4) are fixed (devel version is fixed too - bug 175191 - curl-7.15.1-1 ).

CVE-2005-4077 [MEDIUM] CVE-2005-4077 SA17907 cURL/libcURL URL Parsing Off-By-One Vulnerability CVE-2005-4077 SA17907 cURL/libcURL URL Parsing Off-By-One Vulnerability 'Stefan Esser has reported a vulnerability in cURL/libcURL, which has an unknown impact.' 'The vulnerability is caused due to an off-by-one error when parsing an URL that is longer than 256 bytes. By using a specially crafted URL, a two-byte overflow is reportedly possible. This may be exploited to corrupt memory allocation structures. The vulnerability is reportedly exploitable only via a direct request to cURL and not via a redirect.' 'The vulnerability has been reported in version 7.15.0 and prior.' Discussion: Thank you for your bug report. There is the latest upstream version curl-7.15.1-1 in the devel branch now which is fixes this problem.