FreshPorts - VuXML
This page displays vulnerability information about FreeBSD Ports.
The last vuln.xml file processed by FreshPorts is:
List all Vulnerabilities, by package
List all Vulnerabilities, by date
These are the vulnerabilities relating to the commit you have selected:
|4e1f4abc-6837-11e3-9cda-3c970e169bc2||cURL library -- cert name check ignore with GnuTLS|
cURL project reports:
libcurl is vulnerable to a case of missing out the checking
of the certificate CN or SAN name field when the digital
signature verification is turned off.
libcurl offers two separate and independent options for
verifying a server's TLS certificate. CURLOPT_SSL_VERIFYPEER
and CURLOPT_SSL_VERIFYHOST. The first one tells libcurl to
verify the trust chain using a CA cert bundle, while the
second tells libcurl to make sure that the name fields in
the server certificate meets the criteria. Both options are
enabled by default.
This flaw had the effect that when an application disabled
CURLOPT_SSL_VERIFYPEER, libcurl mistakenly also skipped the
CURLOPT_SSL_VERIFYHOST check. Applications can disable
CURLOPT_SSL_VERIFYPEER and still achieve security by doing
the check on its own using other means.
The curl command line tool is not affected by this problem
as it either enables both options or disables both at the
ge 7.21.4 lt 7.33.0_2
|01cf67b3-dc3b-11e2-a6cd-c48508086173||cURL library -- heap corruption in curl_easy_unescape|
cURL developers report:
libcurl is vulnerable to a case of bad checking of the
input data which may lead to heap corruption.
The function curl_easy_unescape() decodes URL-encoded
strings to raw binary data. URL-encoded octets are
represented with %HH combinations where HH is a two-digit
hexadecimal number. The decoded string is written to an
allocated memory area that the function returns to the
The function takes a source string and a length
parameter, and if the length provided is 0 the function will
instead use strlen() to figure out how much data to
The "%HH" parser wrongly only considered the case where a
zero byte would terminate the input. If a length-limited
buffer was passed in which ended with a '%' character which
was followed by two hexadecimal digits outside of the buffer
libcurl was allowed to parse alas without a terminating
zero, libcurl would still parse that sequence as well. The
counter for remaining data to handle would then be decreased
too much and wrap to become a very large integer and the
copying would go on too long and the destination buffer that
is allocated on the heap would get overwritten.
We consider it unlikely that programs allow user-provided
strings unfiltered into this function. Also, only the not
zero-terminated input string use case is affected by this
flaw. Exploiting this flaw for gain is probably possible for
specific circumstances but we consider the general risk for
this to be low.
The curl command line tool is not affected by this
problem as it doesn't use this function.
There are no known exploits available at this time.
ge 7.7 lt 7.24.0_4