{"id":"CURL-CVE-2015-3145","summary":"cookie parser out of boundary memory access","details":"libcurl supports HTTP \"cookies\" as documented in RFC 6265. Together with each\nindividual cookie there are several different properties, but for this\nvulnerability we focus on the associated \"path\" element. It tells information\nabout for which path on a given host the cookie is valid.\n\nThe internal libcurl function called `sanitize_cookie_path()` that cleans up\nthe path element as given to it from a remote site or when read from a file,\ndid not properly validate the input. If given a path that consisted of a\nsingle double-quote, libcurl would index a newly allocated memory area with\nindex -1 and assign a zero to it, thus destroying heap memory it was not\nsupposed to.\n\nAt best, this gets unnoticed but can also lead to a crash or worse. We have\nnot researched further what kind of malicious actions that potentially this\ncould be used for.\n\nApplications have to explicitly enable cookie parsing in libcurl for this\nproblem to trigger, and if not enabled libcurl does not hit this problem.","aliases":["CVE-2015-3145"],"modified":"2024-06-07T13:53:51Z","published":"2015-04-22T08:00:00Z","database_specific":{"CWE":{"desc":"Buffer Underwrite ('Buffer Underflow')","id":"CWE-124"},"package":"curl","last_affected":"7.41.0","URL":"https://curl.se/docs/CVE-2015-3145.json","www":"https://curl.se/docs/CVE-2015-3145.html","affects":"both","severity":"Medium"},"affected":[{"ranges":[{"type":"SEMVER","events":[{"introduced":"7.31.0"},{"fixed":"7.42.0"}]},{"type":"GIT","repo":"https://github.com/curl/curl.git","events":[{"introduced":"f24dc09d209a2f91ca38d854f0c15ad93f3d7e2d"},{"fixed":"b5f947b8ac0e282c61c75b69cd5b9d37dafc6959"}]}],"versions":["7.41.0","7.40.0","7.39.0","7.38.0","7.37.1","7.37.0","7.36.0","7.35.0","7.34.0","7.33.0","7.32.0","7.31.0"],"database_specific":{"source":"https://curl.se/docs/CURL-CVE-2015-3145.json","vanir_signatures":[{"target":{"file":"lib/cookie.c"},"digest":{"threshold":0.9,"line_hashes":["293563771843034153120071997404243464066","289614564877088622217344177799380382972","50498536746157685716813616910491095043","295537095925371282186368242809537621657","62264493403146632954184705088746894114","178344282507991223133292553271951997017","94800141695634214740011328778152424046","36548534372095779693887026828094614755","234723359792059470851083126105044695245","184815900173780659492738533370050725819","123804182142046795488228724850281630496","49896981419524448296182980446720025504","304286752593192325307573153722813475165"]},"source":"https://github.com/curl/curl.git/commit/b5f947b8ac0e282c61c75b69cd5b9d37dafc6959","id":"CURL-CVE-2015-3145-45401199","signature_type":"Line","deprecated":false,"signature_version":"v1"},{"target":{"file":"lib/cookie.c","function":"sanitize_cookie_path"},"digest":{"length":513,"function_hash":"115503220579082677945659424175936200582"},"source":"https://github.com/curl/curl.git/commit/b5f947b8ac0e282c61c75b69cd5b9d37dafc6959","id":"CURL-CVE-2015-3145-52bd4870","signature_type":"Function","deprecated":false,"signature_version":"v1"}]}}],"schema_version":"1.7.3","credits":[{"name":"Hanno Böck","type":"FINDER"},{"name":"Daniel Stenberg","type":"REMEDIATION_DEVELOPER"}]}