Discover Government News

Arch Linux Security Advisory ASA-201701-10
=========================================
Severity: Medium
Date    : 2017-01-03
CVE-ID  : CVE-2016-9586 CVE-2016-9594
Package : lib32-libcurl-compat
Type    : multiple issues
Remote  : Yes
Link    : https://security.archlinux.org/AVG-116

Summary
======
The package lib32-libcurl-compat before version 7.52.1-1 is vulnerable
to multiple issues including arbitrary code execution and incorrect
calculation.

Resolution
=========
Upgrade to 7.52.1-1.

# pacman -Syu "lib32-libcurl-compat>=7.52.1-1"

The problems have been fixed upstream in version 7.52.1.

Workaround
=========
None.

Description
==========
- CVE-2016-9586 (arbitrary code execution)

libcurl's implementation of the printf() functions triggers a buffer
overflow when doing a large floating point output. The bug occurs when
the conversion outputs more than 255 bytes. The flaw happens because
the floating point conversion is using system functions without the
correct boundary checks.
The functions have been documented as deprecated for a long time and
users are discouraged from using them in "new programs" as they are
planned to get removed at a future point. But as the functions are
present and there's nothing preventing users from using them, we expect
there to be a certain amount of existing users in the wild.
If there are any application that accepts a format string from the
outside without necessary input filtering, it could allow remote
attacks.

- CVE-2016-9594 (incorrect calculation)

libcurl's (new) internal function that returns a good 32bit random
value was implemented poorly and overwrote the pointer instead of
writing the value into the buffer the pointer pointed to. This random
value is used to generate nonces for Digest and NTLM authentication,
for generating boundary strings in HTTP formposts and more. Having a
weak or virtually non-existent random there makes these operations
vulnerable.
This function has been introduced in 7.52.0

Impact
=====
A remote attacker is able to execute arbitrary code on a target machine
by sending crafted data to the server. In addition, the nonces
generated by libcurl 7.52.0 were not truly random, which allowed for an
attacker to derive sensitive information (e.g., session keys).

References
=========
https://bugs.archlinux.org/task/52247
https://curl.se/docs/CVE-2016-9586.html
https://curl.se/docs/CVE-2016-9594.html
https://security.archlinux.org/CVE-2016-9586
https://security.archlinux.org/CVE-2016-9594

ArchLinux: 201701-10: lib32-libcurl-compat: multiple issues

January 4, 2017

Summary

- CVE-2016-9586 (arbitrary code execution) libcurl's implementation of the printf() functions triggers a buffer overflow when doing a large floating point output. The bug occurs when the conversion outputs more than 255 bytes. The flaw happens because the floating point conversion is using system functions without the correct boundary checks. The functions have been documented as deprecated for a long time and users are discouraged from using them in "new programs" as they are planned to get removed at a future point. But as the functions are present and there's nothing preventing users from using them, we expect there to be a certain amount of existing users in the wild. If there are any application that accepts a format string from the outside without necessary input filtering, it could allow remote attacks.
- CVE-2016-9594 (incorrect calculation)
libcurl's (new) internal function that returns a good 32bit random value was implemented poorly and overwrote the pointer instead of writing the value into the buffer the pointer pointed to. This random value is used to generate nonces for Digest and NTLM authentication, for generating boundary strings in HTTP formposts and more. Having a weak or virtually non-existent random there makes these operations vulnerable. This function has been introduced in 7.52.0

Resolution

Upgrade to 7.52.1-1. # pacman -Syu "lib32-libcurl-compat>=7.52.1-1"
The problems have been fixed upstream in version 7.52.1.

References

https://bugs.archlinux.org/task/52247 https://curl.se/docs/CVE-2016-9586.html https://curl.se/docs/CVE-2016-9594.html https://security.archlinux.org/CVE-2016-9586 https://security.archlinux.org/CVE-2016-9594

Severity
Package : lib32-libcurl-compat
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-116

Workaround

None.

Related News