Bug 1388382 (CVE-2016-8620)

Summary: CVE-2016-8620 curl: Glob parser write/read out of bounds
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bmcclain, bodavis, cfergeau, csutherl, dbhole, eedri, erik-fedora, gzaronik, hhorak, jclere, jorton, kanderso, kdudka, lgao, lsurette, luhliari, mbabacek, mgoldboi, michal.skrivanek, mike, mturk, myarboro, omajid, paul, rh-spice-bugs, rwagner, security-response-team, srevivo, twalsh, weli, ykaul
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: curl 7.51.0 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-21 19:52:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1390894, 1390895, 1390896    
Bug Blocks: 1388393    
Attachments:
Description Flags
Upstream patch none

Description Andrej Nemec 2016-10-25 08:25:56 UTC 

The curl tool's "globbing" feature allows a user to specify a numerical range
through which curl will iterate. It is typically specified as [1-5],
specifying the first and the last numbers in the range. Or with [a-z], using
letters.

1. The curl code for parsing the second *unsigned* number did not check for a
leading minus character, which allowed a user to specify `[1--1]` with no
complaints and have the latter `-1` number get turned into the largest
unsigned long value the system can handle. This would ultimately cause curl to
write outside the dedicated malloced buffer after no less than 100,000
iterations, since it would have room for 5 digits but not 6.

2. When the range is specified with letters, and the ending letter is left out
`[L-]`, the code would still advance its read pointer 5 bytes even if the
string was just 4 bytes and end up reading outside the given buffer.

External References:

https://curl.haxx.se/docs/adv_20161102F.html
Comment 1 Andrej Nemec 2016-10-25 08:58:37 UTC 
Created attachment 1213776 [details]
Upstream patch
Comment 2 Adam Mariš 2016-11-02 08:27:53 UTC 
Created curl tracking bugs for this issue:

Affects: fedora-all [bug 1390894]
Comment 3 Adam Mariš 2016-11-02 08:28:06 UTC 
Created mingw-curl tracking bugs for this issue:

Affects: fedora-all [bug 1390895]
Affects: epel-7 [bug 1390896]
Comment 4 errata-xmlrpc 2018-11-13 08:33:13 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS

Via RHSA-2018:3558 https://access.redhat.com/errata/RHSA-2018:3558