Out-of-bounds write in libcurl - CVE-2016-8622
Published: July 31, 2018 / Updated: August 3, 2020
Vulnerability identifier: #VU33021
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2016-8622
CWE-ID: CWE-787
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: curl.haxx.se
Affected software:
libcurl
libcurl
Detailed vulnerability description
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
The URL percent-encoding decode function in libcurl before 7.51.0 is called `curl_easy_unescape`. Internally, even if this function would be made to allocate a unscape destination buffer larger than 2GB, it would return that new length in a signed 32 bit integer variable, thus the length would get either just truncated or both truncated and turned negative. That could then lead to libcurl writing outside of its heap based buffer.
How to mitigate CVE-2016-8622
Install update from vendor's website.
Sources
- http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
- http://www.securityfocus.com/bid/94105
- http://www.securitytracker.com/id/1037192
- https://access.redhat.com/errata/RHSA-2018:2486
- https://access.redhat.com/errata/RHSA-2018:3558
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8622
- https://curl.haxx.se/docs/adv_20161102H.html
- https://security.gentoo.org/glsa/201701-47
- https://www.tenable.com/security/tns-2016-21