The curl tool's "globbing" feature allows a user to specify a numerical range through which curl will iterate. It is typically specified as [1-5], specifying the first and the last numbers in the range. Or with [a-z], using letters. 1. The curl code for parsing the second *unsigned* number did not check for a leading minus character, which allowed a user to specify `[1--1]` with no complaints and have the latter `-1` number get turned into the largest unsigned long value the system can handle. This would ultimately cause curl to write outside the dedicated malloced buffer after no less than 100,000 iterations, since it would have room for 5 digits but not 6. 2. When the range is specified with letters, and the ending letter is left out `[L-]`, the code would still advance its read pointer 5 bytes even if the string was just 4 bytes and end up reading outside the given buffer. External References: https://curl.haxx.se/docs/adv_20161102F.html
Created attachment 1213776 [details] Upstream patch
Created curl tracking bugs for this issue: Affects: fedora-all [bug 1390894]
Created mingw-curl tracking bugs for this issue: Affects: fedora-all [bug 1390895] Affects: epel-7 [bug 1390896]
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Via RHSA-2018:3558 https://access.redhat.com/errata/RHSA-2018:3558