9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.037 Low
EPSS
Percentile
91.5%
Severity: High
Date : 2017-11-30
CVE-ID : CVE-2017-8816 CVE-2017-8817 CVE-2017-8818
Package : lib32-libcurl-gnutls
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-523
The package lib32-libcurl-gnutls before version 7.57.0-1 is vulnerable
to multiple issues including arbitrary code execution and information
disclosure.
Upgrade to 7.57.0-1.
The problems have been fixed upstream in version 7.57.0.
None.
A buffer overrun flaw has been found in libcurl > 7.15.4 and < 7.57.0,
in the NTLM authentication code. The internal function
Curl_ntlm_core_mk_ntlmv2_hash
sums up the lengths of the user name +
password (= SUM) and multiplies the sum by two (= SIZE) to figure out
how large storage to allocate from the heap. The SUM value is
subsequently used to iterate over the input and generate output into
the storage buffer. On systems with a 32 bit size_t
, the math to
calculate SIZE triggers an integer overflow when the combined lengths
of the user name and password is larger than 2GB (2^31 bytes). This
integer overflow usually causes a very small buffer to actually get
allocated instead of the intended very huge one, making the use of that
buffer end up in a buffer overrun.
This is only an issue on 32 bit systems. It also requires the user and
password fields to use more than 2GB of memory combined, which in
itself should be rare.
A read out of bounds flaw has been found in the FTP wildcard function
of libcurl >= 7.21.0 and < 7.57.0. libcurl’s FTP wildcard matching
feature, which is enabled with the CURLOPT_WILDCARDMATCH
option can
use a built-in wildcard function or a user provided one. The built-in
wildcard function has a flaw that makes it not detect the end of the
pattern string if it ends with an open bracket ([
) but instead it
will continue reading the heap beyond the end of the URL buffer that
holds the wildcard.
For applications that use HTTP(S) URLs, allow libcurl to handle
redirects and have FTP wildcards enabled, this flaw can be triggered by
malicious servers that can redirect clients to a URL using such a
wildcard pattern.
An out-of-bounds flaw has been found in the SSL related code of libcurl
><i>= 7.56.0 and < 7.57.0. When allocating memory for a connection (the
</i>internal struct called connectdata), a certain amount of memory is
allocated at the end of the struct to be used for SSL related structs.
Those structs are used by the particular SSL library libcurl is built
to use. The application can also tell libcurl which specific SSL
library to use if it was built to support more than one. The math used
to calculate the extra memory amount necessary for the SSL library was
wrong on 32 bit systems, which made the allocated memory too small by 4
bytes. The last struct member of the last object within the memory area
could then be outside of what was allocated. Accessing that member
could lead to a crash or other undefined behaviors depending on what
memory that is present there and how the particular SSL library decides
to act on that memory content.
Specifically the vulnerability is present if libcurl was built so that
sizeof(long long *) < sizeof(long long) which as far as we are aware
only happens in 32-bit builds.
A remote attacker is able to crash the application, possibly disclose
sensitive information or execute arbitrary code on the affected host.
https://curl.haxx.se/docs/adv_2017-11e7.html
https://curl.haxx.se/docs/adv_2017-ae72.html
https://curl.haxx.se/docs/adv_2017-af0a.html
https://curl.haxx.se/CVE-2017-8816.patch
https://github.com/curl/curl/commit/7f2a1df6f5fc598750b2c6f34465c8d924db28cc
https://curl.haxx.se/CVE-2017-8817.patch
https://github.com/curl/curl/commit/0b664ba968437715819bfe4c7ada5679d16ebbc3
https://curl.haxx.se/CVE-2017-8818.patch
https://github.com/curl/curl/commit/9b5e12a5491d2e6b68e0c88ca56f3a9ef9fba400
https://security.archlinux.org/CVE-2017-8816
https://security.archlinux.org/CVE-2017-8817
https://security.archlinux.org/CVE-2017-8818
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ArchLinux | any | any | lib32-libcurl-gnutls | < 7.57.0-1 | UNKNOWN |
curl.haxx.se/CVE-2017-8816.patch
curl.haxx.se/CVE-2017-8817.patch
curl.haxx.se/CVE-2017-8818.patch
curl.haxx.se/docs/adv_2017-11e7.html
curl.haxx.se/docs/adv_2017-ae72.html
curl.haxx.se/docs/adv_2017-af0a.html
github.com/curl/curl/commit/0b664ba968437715819bfe4c7ada5679d16ebbc3
github.com/curl/curl/commit/7f2a1df6f5fc598750b2c6f34465c8d924db28cc
github.com/curl/curl/commit/9b5e12a5491d2e6b68e0c88ca56f3a9ef9fba400
security.archlinux.org/AVG-523
security.archlinux.org/CVE-2017-8816
security.archlinux.org/CVE-2017-8817
security.archlinux.org/CVE-2017-8818
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.037 Low
EPSS
Percentile
91.5%