SB2016110322 - Out-of-bounds write in curl (Alpine package)
Published: November 3, 2016
Security Bulletin ID
SB2016110322
Severity
High
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Out-of-bounds write (CVE-ID: CVE-2016-8622)
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
The URL percent-encoding decode function in libcurl before 7.51.0 is called `curl_easy_unescape`. Internally, even if this function would be made to allocate a unscape destination buffer larger than 2GB, it would return that new length in a signed 32 bit integer variable, thus the length would get either just truncated or both truncated and turned negative. That could then lead to libcurl writing outside of its heap based buffer.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=7079fe21530ae1c8147925d8b591131b786ab2e9
- https://git.alpinelinux.org/aports/commit/?id=619d9f8608068fab555a9a54e6154eb798eb5c2c
- https://git.alpinelinux.org/aports/commit/?id=ba3dc3d210189d8b88c35c3b6850f54f8041f3fa
- https://git.alpinelinux.org/aports/commit/?id=4cbdd0cf8c1d0c855e0d3cfb56ef02aa19716a01
- https://git.alpinelinux.org/aports/commit/?id=41621bfa2c8cbc7303191ddefd9ccaa650d8b359
- https://git.alpinelinux.org/aports/commit/?id=ffe6b82496f728d1d75dae4030047c6ff48a9c5a