Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1375906 - (CVE-2016-7167) CVE-2016-7167 curl: escape and unescape integer overflows
CVE-2016-7167 curl: escape and unescape integer overflows
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20160914,reported=2...
: Security
Depends On: 1375909 1375907 1375908 1377578
Blocks: 1375910
  Show dependency treegraph
 
Reported: 2016-09-14 04:41 EDT by Adam Mariš
Modified: 2018-08-16 12:06 EDT (History)
29 users (show)

See Also:
Fixed In Version: curl 7.50.3
Doc Type: If docs needed, set a value
Doc Text:
Multiple integer overflow flaws leading to heap-based buffer overflows were found in the way curl handled escaping and unescaping of data. An attacker could potentially use these flaws to crash an application using libcurl by sending a specially crafted input to the affected libcurl functions.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:2016 normal SHIPPED_LIVE Moderate: curl security, bug fix, and enhancement update 2017-08-01 14:02:02 EDT
Red Hat Product Errata RHSA-2018:2486 None None None 2018-08-16 12:06 EDT

  None (edit)
Description Adam Mariš 2016-09-14 04:41:03 EDT 
It was found that provided string length arguments in four libcurl functions curl_escape(), curl_easy_escape(), curl_unescape and curl_easy_unescape were not properly checked and due to arithmetic in the functions, passing in the length 0xffffffff (2^32-1 or UINT_MAX or even just -1) would end up causing an allocation of zero bytes of heap memory that curl would attempt to write gigabytes of data into.

This flaw does not affect the curl command line tool.

Affected versions: libcurl 7.11.1 to and including 7.50.2

External References:

https://curl.haxx.se/docs/adv_20160914.html
Comment 1 Adam Mariš 2016-09-14 04:42:28 EDT 
Created curl tracking bugs for this issue:

Affects: fedora-all [bug 1375907]
Comment 2 Adam Mariš 2016-09-14 04:42:45 EDT 
Created mingw-curl tracking bugs for this issue:

Affects: fedora-all [bug 1375908]
Affects: epel-7 [bug 1375909]
Comment 3 Dhiru Kholia 2016-09-15 03:34:17 EDT 
Upstream patch:

https://curl.haxx.se/CVE-2016-7167.patch
Comment 20 errata-xmlrpc 2017-08-01 13:03:18 EDT 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:2016 https://access.redhat.com/errata/RHSA-2017:2016
Comment 22 errata-xmlrpc 2018-08-16 12:06:25 EDT 
This issue has been addressed in the following products:

  Red Hat JBoss Core Services

Via RHSA-2018:2486 https://access.redhat.com/errata/RHSA-2018:2486
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.