SB2016111006 - OpenSUSE Linux update for curl 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2016111006

SB2016111006 - OpenSUSE Linux update for curl

Published: November 10, 2016

Security Bulletin ID SB2016111006
Severity
High
Patch available
YES
Number of vulnerabilities 11
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 45% Medium 36% Low 18%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 11 secuirty vulnerabilities.


1) Arbitrary code execution (CVE-ID: CVE-2016-7167)

The vulnerability exposes a remote user's possibility to cause arbitrary code execution on the target system.
The weakness exists due to integer overflow. Using of specially crafted length parameter value to certain libcurl functions allows attackers to obtain potentially sensitive information and execute arbitrary code.
Successful exploitation of the vulnerability may result in arbitrary code execution on the vulnerable system.

2) Security Features (CVE-ID: CVE-2016-8615)

The vulnerability allows a remote non-authenticated attacker to manipulate data.

A flaw was found in curl before version 7.51. If cookie state is written into a cookie jar file that is later read back and used for subsequent requests, a malicious HTTP server can inject new cookies for arbitrary domains into said cookie jar.


3) Credentials management (CVE-ID: CVE-2016-8616)

The vulnerability allows a remote non-authenticated attacker to manipulate data.

A flaw was found in curl before version 7.51.0 When re-using a connection, curl was doing case insensitive comparisons of user name and password with the existing connections. This means that if an unused connection with proper credentials exists for a protocol that has connection-scoped credentials, an attacker can cause that connection to be reused if s/he knows the case-insensitive version of the correct password.


4) Out-of-bounds write (CVE-ID: CVE-2016-8617)

The vulnerability allows a local authenticated user to execute arbitrary code.

The base64 encode function in curl before version 7.51.0 is prone to a buffer being under allocated in 32bit systems if it receives at least 1Gb as input via `CURLOPT_USERNAME`.


5) Double Free (CVE-ID: CVE-2016-8618)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

The libcurl API function called `curl_maprintf()` before version 7.51.0 can be tricked into doing a double-free due to an unsafe `size_t` multiplication, on systems using 32 bit `size_t` variables.


6) Double Free (CVE-ID: CVE-2016-8619)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

The function `read_data()` in security.c in curl before version 7.51.0 is vulnerable to memory double free.


7) Out-of-bounds read (CVE-ID: CVE-2016-8620)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

The 'globbing' feature in curl before version 7.51.0 has a flaw that leads to integer overflow and out-of-bounds read via user controlled input.


8) Out-of-bounds read (CVE-ID: CVE-2016-8621)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The `curl_getdate` function in curl before version 7.51.0 is vulnerable to an out of bounds read if it receives an input with one digit short.


9) Out-of-bounds write (CVE-ID: CVE-2016-8622)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

The URL percent-encoding decode function in libcurl before 7.51.0 is called `curl_easy_unescape`. Internally, even if this function would be made to allocate a unscape destination buffer larger than 2GB, it would return that new length in a signed 32 bit integer variable, thus the length would get either just truncated or both truncated and turned negative. That could then lead to libcurl writing outside of its heap based buffer.


10) Use-after-free (CVE-ID: CVE-2016-8623)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

A flaw was found in curl before version 7.51.0. The way curl handles cookies permits other threads to trigger a use-after-free leading to information disclosure.


11) URL redirection (CVE-ID: CVE-2016-8624)

The vulnerability allows a remote attacker to perform phishing attacks.

The vulnerability is caused by an error when parsing URL. A remote attacker can supply a link with ending "#" character in hostname and cause libcurl client to redirect to a host, specified after the "#" character.

Exploit example:

http://example.com#@evilsite.com/1.txt

The above URL will force libcurl client to connect to evilsite.com hostname instead of example.com.

The vulnerability allows an attacker to perform phishing attacks by tricking victims to connect to untrusted host.


Remediation

Install update from vendor's website.

References