Bug 1408385 (CVE-2016-9594)

Summary: CVE-2016-9594 curl: Unitialized random
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bmcclain, cfergeau, csutherl, dblechte, eedri, erik-fedora, gzaronik, hhorak, jclere, jorton, kdudka, lgao, lsurette, luhliari, mbabacek, mgoldboi, michal.skrivanek, myarboro, omajid, paul, rbalakri, rh-spice-bugs, sardella, sbonazzo, sherold, srevivo, twalsh, weli, ykaul, ylavi
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: curl 7.52.1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-12-23 08:34:22 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Andrej Nemec 2016-12-23 08:33:06 UTC 
libcurl's (new) internal function that returns a good 32bit random value was
implemented poorly and overwrote the pointer instead of writing the value into
the buffer the pointer pointed to.

This random value is used to generate nonces for Digest and NTLM
authentication, for generating boundary strings in HTTP formposts and
more. Having a weak or virtually non-existent random there makes these
operations vulnerable.

This function is brand new in 7.52.0

External References:

https://curl.haxx.se/docs/adv_20161223.html

Upstream patch:

https://curl.haxx.se/CVE-2016-9594.patch
Comment 1 Andrej Nemec 2016-12-23 08:33:34 UTC 
Acknowledgments:

Name: Kamil Dudka (Red Hat)
Comment 2 Andrej Nemec 2016-12-23 08:34:22 UTC 
Vulnerable version is not shipped anywhere across our products.