Lucene search

K
archlinuxArchLinuxASA-201711-37
HistoryNov 30, 2017 - 12:00 a.m.

[ASA-201711-37] lib32-libcurl-gnutls: multiple issues

2017-11-3000:00:00
security.archlinux.org
15

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.037 Low

EPSS

Percentile

91.5%

Arch Linux Security Advisory ASA-201711-37

Severity: High
Date : 2017-11-30
CVE-ID : CVE-2017-8816 CVE-2017-8817 CVE-2017-8818
Package : lib32-libcurl-gnutls
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-523

Summary

The package lib32-libcurl-gnutls before version 7.57.0-1 is vulnerable
to multiple issues including arbitrary code execution and information
disclosure.

Resolution

Upgrade to 7.57.0-1.

pacman -Syu “lib32-libcurl-gnutls>=7.57.0-1”

The problems have been fixed upstream in version 7.57.0.

Workaround

None.

Description

  • CVE-2017-8816 (arbitrary code execution)

A buffer overrun flaw has been found in libcurl > 7.15.4 and < 7.57.0,
in the NTLM authentication code. The internal function
Curl_ntlm_core_mk_ntlmv2_hash sums up the lengths of the user name +
password (= SUM) and multiplies the sum by two (= SIZE) to figure out
how large storage to allocate from the heap. The SUM value is
subsequently used to iterate over the input and generate output into
the storage buffer. On systems with a 32 bit size_t, the math to
calculate SIZE triggers an integer overflow when the combined lengths
of the user name and password is larger than 2GB (2^31 bytes). This
integer overflow usually causes a very small buffer to actually get
allocated instead of the intended very huge one, making the use of that
buffer end up in a buffer overrun.
This is only an issue on 32 bit systems. It also requires the user and
password fields to use more than 2GB of memory combined, which in
itself should be rare.

  • CVE-2017-8817 (information disclosure)

A read out of bounds flaw has been found in the FTP wildcard function
of libcurl >= 7.21.0 and < 7.57.0. libcurl’s FTP wildcard matching
feature, which is enabled with the CURLOPT_WILDCARDMATCH option can
use a built-in wildcard function or a user provided one. The built-in
wildcard function has a flaw that makes it not detect the end of the
pattern string if it ends with an open bracket ([) but instead it
will continue reading the heap beyond the end of the URL buffer that
holds the wildcard.
For applications that use HTTP(S) URLs, allow libcurl to handle
redirects and have FTP wildcards enabled, this flaw can be triggered by
malicious servers that can redirect clients to a URL using such a
wildcard pattern.

  • CVE-2017-8818 (arbitrary code execution)

An out-of-bounds flaw has been found in the SSL related code of libcurl
><i>= 7.56.0 and < 7.57.0. When allocating memory for a connection (the
</i>internal struct called connectdata), a certain amount of memory is
allocated at the end of the struct to be used for SSL related structs.
Those structs are used by the particular SSL library libcurl is built
to use. The application can also tell libcurl which specific SSL
library to use if it was built to support more than one. The math used
to calculate the extra memory amount necessary for the SSL library was
wrong on 32 bit systems, which made the allocated memory too small by 4
bytes. The last struct member of the last object within the memory area
could then be outside of what was allocated. Accessing that member
could lead to a crash or other undefined behaviors depending on what
memory that is present there and how the particular SSL library decides
to act on that memory content.
Specifically the vulnerability is present if libcurl was built so that
sizeof(long long *) < sizeof(long long) which as far as we are aware
only happens in 32-bit builds.

Impact

A remote attacker is able to crash the application, possibly disclose
sensitive information or execute arbitrary code on the affected host.

References

https://curl.haxx.se/docs/adv_2017-11e7.html
https://curl.haxx.se/docs/adv_2017-ae72.html
https://curl.haxx.se/docs/adv_2017-af0a.html
https://curl.haxx.se/CVE-2017-8816.patch
https://github.com/curl/curl/commit/7f2a1df6f5fc598750b2c6f34465c8d924db28cc
https://curl.haxx.se/CVE-2017-8817.patch
https://github.com/curl/curl/commit/0b664ba968437715819bfe4c7ada5679d16ebbc3
https://curl.haxx.se/CVE-2017-8818.patch
https://github.com/curl/curl/commit/9b5e12a5491d2e6b68e0c88ca56f3a9ef9fba400
https://security.archlinux.org/CVE-2017-8816
https://security.archlinux.org/CVE-2017-8817
https://security.archlinux.org/CVE-2017-8818

OSVersionArchitecturePackageVersionFilename
ArchLinuxanyanylib32-libcurl-gnutls< 7.57.0-1UNKNOWN

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.037 Low

EPSS

Percentile

91.5%

Related for ASA-201711-37