freeing stack buffer in utf8asn1str

Vulnerability

In libcurl's ASN1 parser, the function utf8asn1str() incorrectly invokes free() on a local stack buffer when it detects an invalid ASN.1 UTF-8 string field. This vulnerability was introduced in a code refactor in curl 8.6.0 and affects versions 8.6.0 through 8.8.0 inclusive. It is exploitable only when curl is built with GnuTLS, wolfSSL, Schannel, Secure Transport, or mbedTLS [3].

Exploitation

An attacker acting as a malicious TLS server can trigger the vulnerability by offering a specially crafted certificate that causes libcurl to parse an invalid ASN.1 UTF-8 string. No authentication or user interaction is required beyond initiating a TLS connection. The vulnerable code path is reached during certificate parsing [3].

Impact

When the bug is triggered, free() is called on a 4-byte stack buffer. Most modern malloc implementations detect this and abort, causing a crash (denial of service). Some malloc implementations may accept the pointer and add the stack memory to the free list, leading to corruption of nearby stack memory. This could potentially result in arbitrary code execution in special circumstances, though the most likely outcome is a crash [1][3].

Mitigation

The fix is included in curl version 8.9.0, released on July 24, 2024 [3]. Users should upgrade to 8.9.0 or apply the patch from the curl repository. Versions before 8.6.0 are not affected. No workaround is available beyond disabling affected TLS backends, but upgrade is recommended.