{"id":"CURL-CVE-2014-3707","summary":"duphandle read out of bounds","details":"libcurl's function\n[`curl_easy_duphandle()`](https://curl.se/libcurl/c/curl_easy_duphandle.html)\nhas a bug that can lead to libcurl eventually sending off sensitive data that\nwas not intended for sending.\n\nWhen doing an HTTP POST transfer with libcurl, you can use the\n`CURLOPT_COPYPOSTFIELDS` option to specify a memory area holding the data to\nsend to the remote server. The memory area's size is set with a separate\noption, for example `CURLOPT_POSTFIELDSIZE`.\n\nAs the name implies, the data in the specified buffer is copied to a privately\nheld memory buffer that libcurl allocates on the heap. The memory area is\nassociated with the common CURL handle, often referred to as an \"easy handle\".\n\nThis handle can be duplicated by an application to create an identical copy,\nand all the already set options and data is then also similarly cloned and are\nbe associated with the newly returned handle. This also includes the data to\nsend in an HTTP POST request.\n\nThe internal libcurl function that duplicates options from the old handle to\nthe new had two problems:\n\n1. It mistakenly treated the post data buffer as if it was a C string which is\n   assumed to end with a zero byte. `strdup()` was subsequently used to\n   duplicate the post data buffer, and as a post data buffer can both\n   legitimately contain a zero byte, or may not contain any zero bytes at all\n   (including a tailing one), `strdup()` could create a copy that a) was too\n   small b) was too large or c) could crash due to reading an inaccessible\n   memory area. The `strdup()` function of course allocates memory off the\n   heap.\n\n2. After duplication of the handle data, the pointer used to read from when\n   sending the data was not updated. When sending off the post, libcurl would\n   still read from the original handle's buffer which at that time could have\n   been freed or reused for other purposes.\n\nWhen libcurl subsequently constructs the HTTP POST request and includes data\nfor the protocol body it copies data from that pointer using the old size and\nthe old pointer. This makes a read from the wrong place and can lead to\nlibcurl inserting data into the request that happens to be stored at that\nplaces in memory at that time.\n\nWe are not aware of anyone having been able to actually exploit this for\nnefarious purposes, but we cannot exclude that it is possible or even might\nalready have been exploited.","aliases":["CVE-2014-3707"],"modified":"2024-06-07T13:53:51Z","published":"2014-11-05T08:00:00Z","database_specific":{"last_affected":"7.38.0","www":"https://curl.se/docs/CVE-2014-3707.html","severity":"Medium","package":"curl","URL":"https://curl.se/docs/CVE-2014-3707.json","affects":"lib","CWE":{"id":"CWE-126","desc":"Buffer Over-read"}},"affected":[{"ranges":[{"type":"SEMVER","events":[{"introduced":"7.17.1"},{"fixed":"7.39.0"}]},{"type":"GIT","repo":"https://github.com/curl/curl.git","events":[{"introduced":"a005243908803662d4a05427bc1061db42f4d057"},{"fixed":"b3875606925536f82fc61f3114ac42f29eaf6945"}]}],"versions":["7.38.0","7.37.1","7.37.0","7.36.0","7.35.0","7.34.0","7.33.0","7.32.0","7.31.0","7.30.0","7.29.0","7.28.1","7.28.0","7.27.0","7.26.0","7.25.0","7.24.0","7.23.1","7.23.0","7.22.0","7.21.7","7.21.6","7.21.5","7.21.4","7.21.3","7.21.2","7.21.1","7.21.0","7.20.1","7.20.0","7.19.7","7.19.6","7.19.5","7.19.4","7.19.3","7.19.2","7.19.1","7.19.0","7.18.2","7.18.1","7.18.0","7.17.1"],"database_specific":{"source":"https://curl.se/docs/CURL-CVE-2014-3707.json","vanir_signatures":[{"digest":{"threshold":0.9,"line_hashes":["127571066005132162394745191923884517624","306855933067502983715764933279888462311","91060711549293819246264217108642030968"]},"id":"CURL-CVE-2014-3707-03498fa6","signature_version":"v1","signature_type":"Line","source":"https://github.com/curl/curl.git/commit/b3875606925536f82fc61f3114ac42f29eaf6945","deprecated":false,"target":{"file":"lib/strdup.c"}},{"digest":{"threshold":0.9,"line_hashes":["129298132073041536944664025260326182039","239702622003577815249827896257371415293","37497796442319528728356356946320297389","50511109997338752191747529832489437678","125619229616138215407405593786760479300","240722840557483599925104181589324838311","33845740491327782352534394365632947359"]},"id":"CURL-CVE-2014-3707-11a57db3","signature_version":"v1","signature_type":"Line","source":"https://github.com/curl/curl.git/commit/b3875606925536f82fc61f3114ac42f29eaf6945","deprecated":false,"target":{"file":"lib/urldata.h"}},{"digest":{"threshold":0.9,"line_hashes":["22306682436834823501630275824150313801","20776544305130466555450839562021879277","273358153699374406904001317490768220079","136709100517555571331149291988908774938","94429222468059406260443728599541867546","174318347801918917686760719650140640997","96643347226974641701170155531945275907","321214453539548569238046639930733814032","26336765544803095149733232658070574997","186704602833126890221715069355212519572","114454303754977092933321085447264941650","155075612908956902314496691759118726988","305005554224787913639393503277250549183","228115507322447502145039830437182506879","185268294029470670340884360872795449703","243332892173211569376949855804818823101","24907725470708723708620865375724034689","53869237590415649549477673759734538793","176838158067409776339076543113428402801","113165488259472493467622466365262947987","117566606413402916147237928734089976100","271107065030406318996112848145352678982","287867308427333719334013902902392956113","286406101195422919601083661160813815281","56736811544708235017330412852232410293","81611418550183497221452332295536881569","120707839261971390066012322269582231904","96775504690441182770073860884995001590","223995813380883419723566274384202165381","126439255895949456309129519038037579678","143453635562264697250647265418465810557","92187300181622084530623726049634949594","241923890620897570780740098613708804534","252712694429003674281080735411264528147","304966159299857115907988570534341842637","59641601321821936101925502626342787257","178892985363044022540304650940762924386"]},"id":"CURL-CVE-2014-3707-2d7fdc82","signature_version":"v1","signature_type":"Line","source":"https://github.com/curl/curl.git/commit/b3875606925536f82fc61f3114ac42f29eaf6945","deprecated":false,"target":{"file":"lib/formdata.c"}},{"digest":{"length":360,"function_hash":"215924022680873290960701840680837484005"},"id":"CURL-CVE-2014-3707-2ef64453","signature_version":"v1","signature_type":"Function","source":"https://github.com/curl/curl.git/commit/b3875606925536f82fc61f3114ac42f29eaf6945","deprecated":false,"target":{"function":"Curl_dupset","file":"lib/url.c"}},{"digest":{"length":451,"function_hash":"113854088363596928821767849924549151241"},"id":"CURL-CVE-2014-3707-38cdf01e","signature_version":"v1","signature_type":"Function","source":"https://github.com/curl/curl.git/commit/b3875606925536f82fc61f3114ac42f29eaf6945","deprecated":false,"target":{"function":"Curl_freeset","file":"lib/url.c"}},{"digest":{"threshold":0.9,"line_hashes":["40145494751895804483008986691324965876","84301932536949980142156924115975494625","282603490254191649278375414908006474536"]},"id":"CURL-CVE-2014-3707-af1c8d6e","signature_version":"v1","signature_type":"Line","source":"https://github.com/curl/curl.git/commit/b3875606925536f82fc61f3114ac42f29eaf6945","deprecated":false,"target":{"file":"lib/strdup.h"}},{"digest":{"threshold":0.9,"line_hashes":["17426772181790665441557795541900412206","94973511136313106404228339467384188914","155198010483977611199283641354757594757","173430800232111982329218609679174522391","111698974490817653165854127599581931010"]},"id":"CURL-CVE-2014-3707-bcbce1d2","signature_version":"v1","signature_type":"Line","source":"https://github.com/curl/curl.git/commit/b3875606925536f82fc61f3114ac42f29eaf6945","deprecated":false,"target":{"file":"src/tool_setup.h"}},{"digest":{"length":8017,"function_hash":"5556267963239337546597570854659173619"},"id":"CURL-CVE-2014-3707-e20c82d2","signature_version":"v1","signature_type":"Function","source":"https://github.com/curl/curl.git/commit/b3875606925536f82fc61f3114ac42f29eaf6945","deprecated":false,"target":{"function":"FormAdd","file":"lib/formdata.c"}},{"digest":{"length":366,"function_hash":"201497487499556814808944622573532087303"},"id":"CURL-CVE-2014-3707-ea6c5e1a","signature_version":"v1","signature_type":"Function","source":"https://github.com/curl/curl.git/commit/b3875606925536f82fc61f3114ac42f29eaf6945","deprecated":false,"target":{"function":"memdup","file":"lib/formdata.c"}},{"digest":{"threshold":0.9,"line_hashes":["303288721676213784639202977825522151208","229249824435197849533923946099329247390","286228150832337009201418527297455319085","20095838013593815384638579341654322216","108321902383835956833218880080549409645","216800543307533131292713499941086939837","183358955210925759933869720621755541743","184305315549737823605923689608782431658","302414039201736881985752941628724929563","24315820867967428968221623999303070676","67858107384099389004586052435526421647","134542077974657439486722749974518057990","334908238417817183525192926123354507277","29094884245390009385225671834772044758","139363817470183645437986724500212541397","235780497829215147823977033612277444840","123401432769732433524703311801133114312","162030365013041997462971438198938991437"]},"id":"CURL-CVE-2014-3707-fcf805fd","signature_version":"v1","signature_type":"Line","source":"https://github.com/curl/curl.git/commit/b3875606925536f82fc61f3114ac42f29eaf6945","deprecated":false,"target":{"file":"lib/url.c"}}]}}],"schema_version":"1.7.3","credits":[{"name":"Symeon Paraschoudis","type":"FINDER"},{"name":"Daniel Stenberg","type":"REMEDIATION_DEVELOPER"},{"name":"Stas Malyshev","type":"OTHER"},{"name":"Dan Fandrich","type":"OTHER"},{"name":"Tomas Hoger","type":"OTHER"}]}