#VU33021 Out-of-bounds write in libcurl - CVE-2016-8622
Published: July 31, 2018 / Updated: August 3, 2020
Vulnerability identifier: #VU33021
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2016-8622
CWE-ID: CWE-787
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
libcurl
libcurl
Software vendor:
curl.haxx.se
curl.haxx.se
Description
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
The URL percent-encoding decode function in libcurl before 7.51.0 is called `curl_easy_unescape`. Internally, even if this function would be made to allocate a unscape destination buffer larger than 2GB, it would return that new length in a signed 32 bit integer variable, thus the length would get either just truncated or both truncated and turned negative. That could then lead to libcurl writing outside of its heap based buffer.
Remediation
Install update from vendor's website.
External links
- http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
- http://www.securityfocus.com/bid/94105
- http://www.securitytracker.com/id/1037192
- https://access.redhat.com/errata/RHSA-2018:2486
- https://access.redhat.com/errata/RHSA-2018:3558
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8622
- https://curl.haxx.se/docs/adv_20161102H.html
- https://security.gentoo.org/glsa/201701-47
- https://www.tenable.com/security/tns-2016-21