ArchLinux: 201701-7: libcurl-compat: multiple issues
Summary
- CVE-2016-9586 (arbitrary code execution)
libcurl's implementation of the printf() functions triggers a buffer
overflow when doing a large floating point output. The bug occurs when
the conversion outputs more than 255 bytes. The flaw happens because
the floating point conversion is using system functions without the
correct boundary checks.
The functions have been documented as deprecated for a long time and
users are discouraged from using them in "new programs" as they are
planned to get removed at a future point. But as the functions are
present and there's nothing preventing users from using them, we expect
there to be a certain amount of existing users in the wild.
If there are any application that accepts a format string from the
outside without necessary input filtering, it could allow remote
attacks.
- CVE-2016-9594 (incorrect calculation)
libcurl's (new) internal function that returns a good 32bit random
value was implemented poorly and overwrote the pointer instead of
writing the value into the buffer the pointer pointed to. This random
value is used to generate nonces for Digest and NTLM authentication,
for generating boundary strings in HTTP formposts and more. Having a
weak or virtually non-existent random there makes these operations
vulnerable.
This function has been introduced in 7.52.0
Resolution
Upgrade to 7.52.1-1.
# pacman -Syu "libcurl-compat>=7.52.1-1"
The problems have been fixed upstream in version 7.52.1.
References
https://bugs.archlinux.org/task/52247 https://curl.se/docs/CVE-2016-9586.html https://curl.se/docs/CVE-2016-9594.html https://security.archlinux.org/CVE-2016-9586 https://security.archlinux.org/CVE-2016-9594
Workaround
None.