Bug 1406712 (CVE-2016-9586)
Summary: | CVE-2016-9586 curl: printf floating point buffer overflow | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Andrej Nemec <anemec> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | bmcclain, bodavis, cfergeau, csutherl, dbhole, eedri, erik-fedora, gzaronik, hhorak, jclere, jorton, kanderso, kdudka, lgao, lsurette, luhliari, mbabacek, mgoldboi, michal.skrivanek, mike, myarboro, omajid, paul, rbalakri, rh-spice-bugs, rwagner, sardella, sbonazzo, srevivo, twalsh, weli, ykaul, ylavi |
Target Milestone: | --- | Keywords: | Reopened, Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | curl 7.52.0 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2021-10-21 11:58:41 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1406716, 1406717, 1406718 | ||
Bug Blocks: | 1406719 |
Description
Andrej Nemec
2016-12-21 10:11:52 UTC
Acknowledgments: Name: the Curl project Created curl tracking bugs for this issue: Affects: fedora-all [bug 1406716] Created mingw-curl tracking bugs for this issue: Affects: fedora-all [bug 1406717] Affects: epel-7 [bug 1406718] This flaw is present in the curl_*printf (curlx_*printf) family of functions, which are not used by curl but are exposed from libcurl. I can't find any of these functions being used across Enterprise Linux. To be exposed, third-party code would need to be using these long-deprecated functions, with a floating-point specifier and user-controlled (floating-point) input. The overflow itself is of a 256-byte stack-allocated buffer, when the decimal expansion of the float exceeds that by up to 70 bytes. Beyond about 16 digits for a double, the decimal expansion is effectively random so the attacker has very little control over precisely what bytes are written. I think the chance of ACE can be discounted here. upstream commit: https://github.com/curl/curl/commit/curl-7_51_0-162-g3ab3c16 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Via RHSA-2018:3558 https://access.redhat.com/errata/RHSA-2018:3558 |