CVE-2024-6197 Information
Description
libcurl’s ASN1 parser has this utf8asn1str() function used for parsing an ASN.1 UTF-8 string. Itcan detect an invalid field and return error. Unfortunately when doing so it also invokes free() on a 4 byte localstack buffer. Most modern malloc implementations detect this error and immediately abort. Some however accept the input pointer and add that memory to its list of available chunks. This leads to the overwriting of nearby stack memory. The content of the overwrite is decided by the free() implementation; likely to be memory pointers and a set of flags. The most likely outcome of exploting this flaw is a crash although it cannot be ruled out that more serious results can be had in special circumstances.
Reference
cve@curl.se
https://curl.se/docs/CVE-2024-6197.json
https://curl.se/docs/CVE-2024-6197.html
https://hackerone.com/reports/2559516
http://www.openwall.com/lists/oss-security/2024/07/24/1
http://www.openwall.com/lists/oss-security/2024/07/24/5
libcurl’s
ASN1
parser
has
this
utf8asn1str()
function
used
for
parsing
an
ASN.1
UTF-8
string.
Itcan
detect
an
invalid
field
and
return
error.
Unfortunately
when
doing
so
it
also
invokes
free()
on
a
4
byte
localstack
buffer.
Most
modern
malloc
implementations
detect
this
error
and
immediately
abort.
Some
however
accept
the
input
pointer
and
add
that
memory
to
its
list
of
available
chunks.
This
leads
to
the
overwriting
of
nearby
stack
memory.
The
content
of
the
overwrite
is
decided
by
the
free()
implementation;
likely
to
be
memory
pointers
and
a
set
of
flags.
The most likely outcome of exploting this flaw is a crash although it cannot be ruled out that more serious results can be had in special circumstances.
Share on: