CVE-2010-0734

Name of the Vulnerable Software and Affected Versions libcurl versions 7.10.5 through 7.19.7 libcurl versions prior to 7.24.0

Description The issue affects libcurl, potentially leading to disruption of confidentiality, integrity, and availability of protected information. Exploitation can occur remotely. Specifically, in libcurl 7.10.5 through 7.19.7, when zlib is enabled, the content encoding.c file does not properly restrict the amount of callback data sent to an application that requests automatic decompression. This might allow remote attackers to cause a denial of service or have unspecified other impact by sending crafted compressed data. The problem arises when libcurl hands over downloaded data to the application using a callback function, which can receive data up to 64K in size when automatic decompression is enabled, exceeding the documented maximum size of CURL MAX WRITE SIZE (16K). This could lead to a buffer overflow vulnerability in applications that blindly trust libcurl's max limit for a fixed buffer size.

Recommendations For libcurl versions 7.10.5 through 7.19.7, consider disabling automatic decompression until a patch is available. For libcurl versions prior to 7.24.0, update to version 7.24.0 or later to resolve the issue. As a temporary workaround, consider restricting the use of the content encoding.c function in zlib-enabled builds of libcurl until a patch is available.