Lucene search

K
archlinuxArchLinuxASA-201609-18
HistorySep 20, 2016 - 12:00 a.m.

[ASA-201609-18] lib32-curl: denial of service

2016-09-2000:00:00
security.archlinux.org
11

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.015 Low

EPSS

Percentile

86.5%

Arch Linux Security Advisory ASA-201609-18

Severity: Low
Date : 20916-09-20
CVE-ID : CVE-2016-7167
Package : lib32-curl
Type : denial of service
Remote : Yes
Link : https://wiki.archlinux.org/index.php/CVE

Summary

The package lib32-curl before version 7.50.3-1 is vulnerable to denial
of service.

Resolution

Upgrade to 7.50.3-1.

pacman -Syu “lib32-curl>=7.50.3-1”

The problem has been fixed upstream in version 7.50.3.

Workaround

None.

Description

The four libcurl functions curl_escape(), curl_easy_escape(),
curl_unescape and curl_easy_unescape perform string URL percent
escaping and unescaping. They accept custom string length inputs in
signed integer arguments. (The functions having names without “easy”
being the deprecated versions of the others.)

The provided string length arguments were not properly checked and due
to arithmetic in the functions, passing in the length 0xffffffff (2^32-1
or UINT_MAX or even just -1) would end up causing an allocation of
zero bytes of heap memory that curl would attempt to write gigabytes of
data into.

The use of ‘int’ for this input type in the API is of course unwise but
has remained so in order to maintain the API over the years.

We are not aware of any exploit of this flaw.

Impact

A remote attacker might cause a crash by providing a specially crafted
URL, leading to a denial of service.

References

http://www.openwall.com/lists/oss-security/2016/09/14/1
https://curl.haxx.se/docs/adv_20160914.html
https://access.redhat.com/security/cve/CVE-2016-7167

OSVersionArchitecturePackageVersionFilename
ArchLinuxanyanylib32-curl< 7.50.3-1UNKNOWN

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.015 Low

EPSS

Percentile

86.5%