ArchLinux: 201609-19: curl: denial of service
Summary
The four libcurl functions `curl_escape()`, `curl_easy_escape()`,
`curl_unescape` and `curl_easy_unescape` perform string URL percent
escaping and unescaping. They accept custom string length inputs in
signed integer arguments. (The functions having names without "easy"
being the deprecated versions of the others.)
The provided string length arguments were not properly checked and due
to arithmetic in the functions, passing in the length 0xffffffff
(2^32-1 or `UINT_MAX` or even just -1) would end up causing an
allocation of zero bytes of heap memory that curl would attempt to
write gigabytes of data into.
The use of 'int' for this input type in the API is of course unwise
but has remained so in order to maintain the API over the years.
We are not aware of any exploit of this flaw.
Resolution
Upgrade to 7.50.3-1.
# pacman -Syu "curl>=7.50.3-1"
The problem has been fixed upstream in version 7.50.3.
References
https://www.openwall.com/lists/oss-security/2016/09/14/1 https://curl.se/docs/CVE-2016-7167.html https://access.redhat.com/security/cve/CVE-2016-7167
Workaround
None.