Bug 1388377 (CVE-2016-8617)

Summary: CVE-2016-8617 curl: Out-of-bounds write via unchecked multiplication
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bmcclain, bodavis, cfergeau, csutherl, dbhole, dblechte, eedri, erik-fedora, gzaronik, hhorak, jclere, jorton, kanderso, kdudka, lgao, lsurette, luhliari, mbabacek, mgoldboi, michal.skrivanek, mike, mturk, myarboro, omajid, paul, rh-spice-bugs, rwagner, security-response-team, sherold, slawomir, srevivo, twalsh, weli, ykaul
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: curl 7.51.0 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 03:00:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1390894, 1390895, 1390896    
Bug Blocks: 1388393    
Attachments:
Description Flags
Upstream patch none

Description Andrej Nemec 2016-10-25 08:18:06 UTC 
In libcurl's base64 encode function, the output buffer is allocated as follows
without any checks on insize:

     malloc( insize * 4 / 3 + 4 )

On systems with 32-bit addresses in userspace (e.g. x86, ARM, x32), the
multiplication in the expression wraps around if insize is at least 1GB of
data. If this happens, an undersized output buffer will be allocated, but the
full result will be written, thus causing the memory behind the output buffer
to be overwritten.

If a username is set directly via `CURLOPT_USERNAME` (or curl's `-u, --user`
option), this vulnerability can be triggered. The name has to be at least
512MB big in a 32bit system.

Systems with 64 bit versions of the `size_t` type are not affected by this
issue.

External References:

https://curl.haxx.se/docs/adv_20161102C.html
Comment 1 Andrej Nemec 2016-10-25 08:54:49 UTC 
Created attachment 1213772 [details]
Upstream patch
Comment 2 Adam Mariš 2016-11-02 08:26:32 UTC 
Created curl tracking bugs for this issue:

Affects: fedora-all [bug 1390894]
Comment 3 Adam Mariš 2016-11-02 08:26:47 UTC 
Created mingw-curl tracking bugs for this issue:

Affects: fedora-all [bug 1390895]
Affects: epel-7 [bug 1390896]
Comment 6 errata-xmlrpc 2018-08-16 16:06:56 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Core Services

Via RHSA-2018:2486 https://access.redhat.com/errata/RHSA-2018:2486
Comment 7 errata-xmlrpc 2018-11-13 08:32:48 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS

Via RHSA-2018:3558 https://access.redhat.com/errata/RHSA-2018:3558