Out-of-bounds write in curl (Alpine package)

1) Out-of-bounds write

EUVDB-ID: #VU33021

Risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-8622

CWE-ID: CWE-787 - Out-of-bounds write

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

The URL percent-encoding decode function in libcurl before 7.51.0 is called `curl_easy_unescape`. Internally, even if this function would be made to allocate a unscape destination buffer larger than 2GB, it would return that new length in a signed 32 bit integer variable, thus the length would get either just truncated or both truncated and turned negative. That could then lead to libcurl writing outside of its heap based buffer.

Mitigation

Install update from vendor's website.

Vulnerable software versions

curl (Alpine package): 7.49.1-r3

External links

http://git.alpinelinux.org/aports/commit/?id=7079fe21530ae1c8147925d8b591131b786ab2e9
http://git.alpinelinux.org/aports/commit/?id=619d9f8608068fab555a9a54e6154eb798eb5c2c
http://git.alpinelinux.org/aports/commit/?id=ba3dc3d210189d8b88c35c3b6850f54f8041f3fa
http://git.alpinelinux.org/aports/commit/?id=4cbdd0cf8c1d0c855e0d3cfb56ef02aa19716a01
http://git.alpinelinux.org/aports/commit/?id=41621bfa2c8cbc7303191ddefd9ccaa650d8b359
http://git.alpinelinux.org/aports/commit/?id=ffe6b82496f728d1d75dae4030047c6ff48a9c5a

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.