Arch Linux Security Advisory ASA-201701-11

Severity: Medium
Date : 2017-01-03
CVE-ID : CVE-2016-9586 CVE-2016-9594
Package : lib32-libcurl-gnutls
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-117

Summary

The package lib32-libcurl-gnutls before version 7.52.1-1 is vulnerable
to multiple issues including arbitrary code execution and incorrect
calculation.

Resolution

Upgrade to 7.52.1-1.

pacman -Syu “lib32-libcurl-gnutls>=7.52.1-1”

The problems have been fixed upstream in version 7.52.1.

Workaround

None.

Description

• CVE-2016-9586 (arbitrary code execution)

libcurl’s implementation of the printf() functions triggers a buffer
overflow when doing a large floating point output. The bug occurs when
the conversion outputs more than 255 bytes. The flaw happens because
the floating point conversion is using system functions without the
correct boundary checks.
The functions have been documented as deprecated for a long time and
users are discouraged from using them in “new programs” as they are
planned to get removed at a future point. But as the functions are
present and there’s nothing preventing users from using them, we expect
there to be a certain amount of existing users in the wild.
If there are any application that accepts a format string from the
outside without necessary input filtering, it could allow remote
attacks.

• CVE-2016-9594 (incorrect calculation)

libcurl’s (new) internal function that returns a good 32bit random
value was implemented poorly and overwrote the pointer instead of
writing the value into the buffer the pointer pointed to. This random
value is used to generate nonces for Digest and NTLM authentication,
for generating boundary strings in HTTP formposts and more. Having a
weak or virtually non-existent random there makes these operations
vulnerable.
This function has been introduced in 7.52.0

Impact

A remote attacker is able to execute arbitrary code on a target machine
by sending crafted data to the server. In addition, the nonces
generated by libcurl 7.52.0 were not truly random, which allowed for an
attacker to derive sensitive information (e.g., session keys).

References

https://bugs.archlinux.org/task/52247
https://bugs.archlinux.org/task/52250
https://curl.haxx.se/docs/adv_20161221A.html
https://curl.haxx.se/docs/adv_20161223.html
https://security.archlinux.org/CVE-2016-9586
https://security.archlinux.org/CVE-2016-9594