6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:N/A:P
0.001 Low
EPSS
Percentile
27.6%
Curl expects the .netrc file to have space characters. So if there is no space character, it will do an out-of-bounds read and a 1-byte out-of-bounds write.
This can happen multiple times depending on the state of the memory.
curl --netrc-file .netrc test.local
“.netrc” is attached.
The content is ‘a’ for 4095 bytes.
Depending on memory conditions, even single-byte files can cause problems.
It’s not exactly just spaces and newlines.
The condition is that the .netrc file does not contain characters for which ISSPACE() returns true (so it is also a condition that there is no line feed code).
There is a problem with parsenetrc() in lib/netrc.c.
parsenetrc() has the following loop.
while(!done && fgets(netrcbuffer, netrcbuffsize, file)) {
char *tok;
char *tok_end;
bool quoted;
if(state == MACDEF) {
if((netrcbuffer[0] == '\n') || (netrcbuffer[0] == '\r'))
state = NOTHING;
else
continue;
}
tok = netrcbuffer;
while(tok) {
while(ISSPACE(*tok))
tok++;
/* tok is first non-space letter */
if(!*tok || (*tok == '#'))
/* end of line or the rest is a comment */
break;
/* leading double-quote means quoted string */
quoted = (*tok == '\"');
tok_end = tok;
if(!quoted) {
while(!ISSPACE(*tok_end))
tok_end++;
*tok_end = 0;
}
The ‘a’ and the terminating character ‘\0’ in the .netrc file are characters for which ISSPACE() returns false, so while on line 25 is true(!false).
This causes an out-of-bounds read.
Also, line 27 is an out-of-bounds write. (1 byte for '\0).
I think it would be better to include the condition that *tok is not NULL in the while statement.
Application crash plus other as yet undetermined consequences.
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:N/A:P
0.001 Low
EPSS
Percentile
27.6%