CVE-2019-5435

Vulnerability

An integer overflow vulnerability exists in the curl_url_set() function of libcurl versions 7.62.0 to 7.64.1 inclusive. The flaw occurs when parsing or updating URLs with excessively long strings on 32-bit architectures. Two specific code paths are affected: passing a string longer than 2 GB to curl_url_set(uh, CURLUPART_URL, "string", 0) triggers the overflow, as does passing a string longer than 1.33 GB with the CURLU_URLENCODE flag set. The overflow results in an undersized heap buffer allocation, leading to a subsequent heap buffer overflow [1].

Exploitation

Exploitation requires a 32-bit system and the ability to supply a crafted URL string of extreme length (over 2 GB or over 1.33 GB depending on the API call). The attacker must have a means to invoke the vulnerable curl_url_set() function, either directly via the libcurl API or indirectly through an application that uses libcurl and accepts user-controlled URL input. No authentication is needed if the application exposes the URL parsing functionality to untrusted data. The attack does not require user interaction beyond the application processing the malicious input [1].

Impact

Successful exploitation results in a heap buffer overflow, which can corrupt adjacent memory. This may lead to arbitrary code execution with the privileges of the process using libcurl, or cause a denial of service via application crash. The severity is rated Low by the curl project due to the specific platform and input length requirements, but the Gentoo security advisory (GLSA 202003-29) notes that the worst-case impact could be arbitrary code execution [1][3].

Mitigation

The vulnerability is fixed in libcurl version 7.65.0, released on May 22, 2019. Users should upgrade to 7.65.0 or later. Alternatively, the patch (commit 5fc28510a4664f4) can be applied to affected versions and libcurl rebuilt. No workaround is available for unpatched versions. Gentoo users should upgrade to >=net-misc/curl-7.66.0 as per GLSA 202003-29 [1][3].