[arch-security] [ASA-201711-36] lib32-curl: multiple issues
anthraxx at archlinux.org
Fri Dec 1 16:41:54 UTC 2017
Arch Linux Security Advisory ASA-201711-36
Date : 2017-11-30
CVE-ID : CVE-2017-8816 CVE-2017-8817 CVE-2017-8818
Package : lib32-curl
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-521
The package lib32-curl before version 7.57.0-1 is vulnerable to
multiple issues including arbitrary code execution and information
Upgrade to 7.57.0-1.
# pacman -Syu "lib32-curl>=7.57.0-1"
The problems have been fixed upstream in version 7.57.0.
- CVE-2017-8816 (arbitrary code execution)
A buffer overrun flaw has been found in libcurl > 7.15.4 and < 7.57.0,
in the NTLM authentication code. The internal function
`Curl_ntlm_core_mk_ntlmv2_hash` sums up the lengths of the user name +
password (= SUM) and multiplies the sum by two (= SIZE) to figure out
how large storage to allocate from the heap. The SUM value is
subsequently used to iterate over the input and generate output into
the storage buffer. On systems with a 32 bit `size_t`, the math to
calculate SIZE triggers an integer overflow when the combined lengths
of the user name and password is larger than 2GB (2^31 bytes). This
integer overflow usually causes a very small buffer to actually get
allocated instead of the intended very huge one, making the use of that
buffer end up in a buffer overrun.
This is only an issue on 32 bit systems. It also requires the user and
password fields to use more than 2GB of memory combined, which in
itself should be rare.
- CVE-2017-8817 (information disclosure)
A read out of bounds flaw has been found in the FTP wildcard function
of libcurl >= 7.21.0 and < 7.57.0. libcurl's FTP wildcard matching
feature, which is enabled with the `CURLOPT_WILDCARDMATCH` option can
use a built-in wildcard function or a user provided one. The built-in
wildcard function has a flaw that makes it not detect the end of the
pattern string if it ends with an open bracket (`[`) but instead it
will continue reading the heap beyond the end of the URL buffer that
holds the wildcard.
For applications that use HTTP(S) URLs, allow libcurl to handle
redirects and have FTP wildcards enabled, this flaw can be triggered by
malicious servers that can redirect clients to a URL using such a
- CVE-2017-8818 (arbitrary code execution)
An out-of-bounds flaw has been found in the SSL related code of libcurl
>= 7.56.0 and < 7.57.0. When allocating memory for a connection (the
internal struct called connectdata), a certain amount of memory is
allocated at the end of the struct to be used for SSL related structs.
Those structs are used by the particular SSL library libcurl is built
to use. The application can also tell libcurl which specific SSL
library to use if it was built to support more than one. The math used
to calculate the extra memory amount necessary for the SSL library was
wrong on 32 bit systems, which made the allocated memory too small by 4
bytes. The last struct member of the last object within the memory area
could then be outside of what was allocated. Accessing that member
could lead to a crash or other undefined behaviors depending on what
memory that is present there and how the particular SSL library decides
to act on that memory content.
Specifically the vulnerability is present if libcurl was built so that
sizeof(long long *) < sizeof(long long) which as far as we are aware
only happens in 32-bit builds.
A remote attacker is able to crash the application, possibly disclose
sensitive information or execute arbitrary code on the affected host.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 866 bytes
Desc: OpenPGP digital signature
More information about the arch-security