SB2016110326 - Arch Linux update for libcurl-compat

Description

This security bulletin contains information about 9 secuirty vulnerabilities.

1) Security Features (CVE-ID: CVE-2016-8615)

The vulnerability allows a remote non-authenticated attacker to manipulate data.

A flaw was found in curl before version 7.51. If cookie state is written into a cookie jar file that is later read back and used for subsequent requests, a malicious HTTP server can inject new cookies for arbitrary domains into said cookie jar.

2) Credentials management (CVE-ID: CVE-2016-8616)

The vulnerability allows a remote non-authenticated attacker to manipulate data.

A flaw was found in curl before version 7.51.0 When re-using a connection, curl was doing case insensitive comparisons of user name and password with the existing connections. This means that if an unused connection with proper credentials exists for a protocol that has connection-scoped credentials, an attacker can cause that connection to be reused if s/he knows the case-insensitive version of the correct password.

3) Out-of-bounds write (CVE-ID: CVE-2016-8617)

The vulnerability allows a local authenticated user to execute arbitrary code.

The base64 encode function in curl before version 7.51.0 is prone to a buffer being under allocated in 32bit systems if it receives at least 1Gb as input via `CURLOPT_USERNAME`.

4) Double Free (CVE-ID: CVE-2016-8619)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

The function `read_data()` in security.c in curl before version 7.51.0 is vulnerable to memory double free.

5) Out-of-bounds read (CVE-ID: CVE-2016-8621)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The `curl_getdate` function in curl before version 7.51.0 is vulnerable to an out of bounds read if it receives an input with one digit short.

6) Out-of-bounds write (CVE-ID: CVE-2016-8622)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

The URL percent-encoding decode function in libcurl before 7.51.0 is called `curl_easy_unescape`. Internally, even if this function would be made to allocate a unscape destination buffer larger than 2GB, it would return that new length in a signed 32 bit integer variable, thus the length would get either just truncated or both truncated and turned negative. That could then lead to libcurl writing outside of its heap based buffer.

7) Use-after-free (CVE-ID: CVE-2016-8623)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

A flaw was found in curl before version 7.51.0. The way curl handles cookies permits other threads to trigger a use-after-free leading to information disclosure.

8) URL redirection (CVE-ID: CVE-2016-8624)

The vulnerability allows a remote attacker to perform phishing attacks.

The vulnerability is caused by an error when parsing URL. A remote attacker can supply a link with ending "#" character in hostname and cause libcurl client to redirect to a host, specified after the "#" character.

Exploit example:

http://example.com#@evilsite.com/1.txt

The above URL will force libcurl client to connect to evilsite.com hostname instead of example.com.

The vulnerability allows an attacker to perform phishing attacks by tricking victims to connect to untrusted host.

9) Input validation error (CVE-ID: CVE-2016-8625)

The vulnerability allows a remote non-authenticated attacker to manipulate data.

curl before version 7.51.0 uses outdated IDNA 2003 standard to handle International Domain Names and this may lead users to potentially and unknowingly issue network transfer requests to the wrong host.

Remediation

Install update from vendor's website.

References

• https://security.archlinux.org/advisory/ASA-201611-8