Bug 1388382 – CVE-2016-8620 curl: Glob parser write/read out of bounds

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1388382 - (CVE-2016-8620) CVE-2016-8620 curl: Glob parser write/read out of bounds

Summary:	CVE-2016-8620 curl: Glob parser write/read out of bounds

Status:	NEW

Aliases:	CVE-2016-8620

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=moderate,public=20161102,repor...
Keywords:	Security

Depends On:	1390896 1390894 1390895
Blocks:	1388393
	Show dependency tree / graph

Reported:	2016-10-25 04:25 EDT by Andrej Nemec
Modified:	2018-07-18 11:04 EDT (History)
CC List:	28 users (show)

See Also:
Fixed In Version:	curl 7.51.0
Doc Type:	If docs needed, set a value
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Upstream patch (4.64 KB, patch) 2016-10-25 04:58 EDT, Andrej Nemec	no flags	Details \| Diff
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Andrej Nemec 2016-10-25 04:25:56 EDT


The curl tool's "globbing" feature allows a user to specify a numerical range
through which curl will iterate. It is typically specified as [1-5],
specifying the first and the last numbers in the range. Or with [a-z], using
letters.

1. The curl code for parsing the second *unsigned* number did not check for a
leading minus character, which allowed a user to specify `[1--1]` with no
complaints and have the latter `-1` number get turned into the largest
unsigned long value the system can handle. This would ultimately cause curl to
write outside the dedicated malloced buffer after no less than 100,000
iterations, since it would have room for 5 digits but not 6.

2. When the range is specified with letters, and the ending letter is left out
`[L-]`, the code would still advance its read pointer 5 bytes even if the
string was just 4 bytes and end up reading outside the given buffer.

External References:

https://curl.haxx.se/docs/adv_20161102F.html

Comment 1 Andrej Nemec 2016-10-25 04:58 EDT

Created attachment 1213776 [details]
Upstream patch

Comment 2 Adam Mariš 2016-11-02 04:27:53 EDT

Created curl tracking bugs for this issue:

Affects: fedora-all [bug 1390894]

Comment 3 Adam Mariš 2016-11-02 04:28:06 EDT

Created mingw-curl tracking bugs for this issue:

Affects: fedora-all [bug 1390895]
Affects: epel-7 [bug 1390896]

Note You need to log in before you can comment on or make changes to this bug.

bmcclain
cfergeau
csutherl
dblechte
eedri
erik-fedora
gklein
gzaronik
jclere
kdudka
lgao
lsurette
mbabacek
mgoldboi
michal.skrivanek
mike
mturk
myarboro
omajid
paul
rh-spice-bugs
security-response-team
sherold
srevivo
twalsh
weli
ykaul
ylavi