[arch-security] [ASA-201609-19] curl: denial of service
Jelle van der Waa
jelle at archlinux.org
Tue Sep 20 19:22:31 UTC 2016
Arch Linux Security Advisory ASA-201609-19
Date : 20916-09-20
CVE-ID : CVE-2016-7167
Package : curl
Type : denial of service
Remote : Yes
Link : https://wiki.archlinux.org/index.php/CVE
The package curl before version 7.50.3-1 is vulnerable to denial
Upgrade to 7.50.3-1.
# pacman -Syu "curl>=7.50.3-1"
The problem has been fixed upstream in version 7.50.3.
The four libcurl functions `curl_escape()`, `curl_easy_escape()`,
`curl_unescape` and `curl_easy_unescape` perform string URL percent
escaping and unescaping. They accept custom string length inputs in
signed integer arguments. (The functions having names without "easy"
being the deprecated versions of the others.)
The provided string length arguments were not properly checked and due
to arithmetic in the functions, passing in the length 0xffffffff
(2^32-1 or `UINT_MAX` or even just -1) would end up causing an
allocation of zero bytes of heap memory that curl would attempt to
write gigabytes of data into.
The use of 'int' for this input type in the API is of course unwise
but has remained so in order to maintain the API over the years.
We are not aware of any exploit of this flaw.
A remote attacker might cause a crash by providing a specially crafted
URL, leading to a denial of service.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 455 bytes
Desc: not available
More information about the arch-security