macidn punycode buffer overread

Vulnerability

libcurl's curl_url_get() function, when built with the *macidn* IDN backend (Apple's native IDN library), performs punycode conversions. If a name exactly 256 bytes is provided, the conversion reads outside a stack-based buffer and fails to null-terminate the result. This bug was introduced in curl 8.8.0 and affects only builds using macidn [1][2]. Versions prior to 8.8.0 and 8.9.0 and later are not affected [2].

Exploitation

An attacker must supply a URL with a hostname of exactly 256 bytes that triggers punycode conversion via curl_url_get(). The attacker does not need authentication but must control the input to a libcurl-based application that uses the URL API. The curl command-line tool is not affected [2]. The overread occurs during the conversion, and the returned string may include adjacent stack data.

Impact

Successful exploitation can lead to disclosure of stack memory contents as part of the converted string. This is an information disclosure vulnerability with low severity, as the leaked data is limited to stack contents adjacent to the buffer [2].

Mitigation

The vulnerability is fixed in curl 8.9.0, released on July 24, 2024 [2]. Users should upgrade to 8.9.0 or apply the patch from commit 686d54baf1df6e0775 [2]. Alternatively, rebuild libcurl with an unaffected IDN backend (e.g., libidn2) [2]. No workaround exists for applications using macidn without upgrading.