[manjaro-security] [arch-security] [ASA-201711-38] lib32-libcurl-compat: multiple issues

Levente Polyak via arch-security arch-security at archlinux.org
Fri Dec 1 17:43:01 CET 2017


Arch Linux Security Advisory ASA-201711-38
==========================================

Severity: High
Date    : 2017-11-30
CVE-ID  : CVE-2017-8816 CVE-2017-8817 CVE-2017-8818
Package : lib32-libcurl-compat
Type    : multiple issues
Remote  : Yes
Link    : https://security.archlinux.org/AVG-522

Summary
=======

The package lib32-libcurl-compat before version 7.57.0-1 is vulnerable
to multiple issues including arbitrary code execution and information
disclosure.

Resolution
==========

Upgrade to 7.57.0-1.

# pacman -Syu "lib32-libcurl-compat>=7.57.0-1"

The problems have been fixed upstream in version 7.57.0.

Workaround
==========

None.

Description
===========

- CVE-2017-8816 (arbitrary code execution)

A buffer overrun flaw has been found in libcurl > 7.15.4 and < 7.57.0,
in the NTLM authentication code. The internal function
`Curl_ntlm_core_mk_ntlmv2_hash` sums up the lengths of the user name +
password (= SUM) and multiplies the sum by two (= SIZE) to figure out
how large storage to allocate from the heap. The SUM value is
subsequently used to iterate over the input and generate output into
the storage buffer. On systems with a 32 bit `size_t`, the math to
calculate SIZE triggers an integer overflow when the combined lengths
of the user name and password is larger than 2GB (2^31 bytes). This
integer overflow usually causes a very small buffer to actually get
allocated instead of the intended very huge one, making the use of that
buffer end up in a buffer overrun.
This is only an issue on 32 bit systems. It also requires the user and
password fields to use more than 2GB of memory combined, which in
itself should be rare.

- CVE-2017-8817 (information disclosure)

A read out of bounds flaw has been found in the FTP wildcard function
of libcurl >= 7.21.0 and < 7.57.0. libcurl's FTP wildcard matching
feature, which is enabled with the `CURLOPT_WILDCARDMATCH` option can
use a built-in wildcard function or a user provided one. The built-in
wildcard function has a flaw that makes it not detect the end of the
pattern string if it ends with an open bracket (`[`) but instead it
will continue reading the heap beyond the end of the URL buffer that
holds the wildcard.
For applications that use HTTP(S) URLs, allow libcurl to handle
redirects and have FTP wildcards enabled, this flaw can be triggered by
malicious servers that can redirect clients to a URL using such a
wildcard pattern.

- CVE-2017-8818 (arbitrary code execution)

An out-of-bounds flaw has been found in the SSL related code of libcurl
>= 7.56.0 and < 7.57.0. When allocating memory for a connection (the
internal struct called connectdata), a certain amount of memory is
allocated at the end of the struct to be used for SSL related structs.
Those structs are used by the particular SSL library libcurl is built
to use. The application can also tell libcurl which specific SSL
library to use if it was built to support more than one. The math used
to calculate the extra memory amount necessary for the SSL library was
wrong on 32 bit systems, which made the allocated memory too small by 4
bytes. The last struct member of the last object within the memory area
could then be outside of what was allocated. Accessing that member
could lead to a crash or other undefined behaviors depending on what
memory that is present there and how the particular SSL library decides
to act on that memory content.
Specifically the vulnerability is present if libcurl was built so that
sizeof(long long *) < sizeof(long long) which as far as we are aware
only happens in 32-bit builds.

Impact
======

A remote attacker is able to crash the application, possibly disclose
sensitive information or execute arbitrary code on the affected host.

References
==========

https://curl.haxx.se/docs/adv_2017-11e7.html
https://curl.haxx.se/docs/adv_2017-ae72.html
https://curl.haxx.se/docs/adv_2017-af0a.html
https://curl.haxx.se/CVE-2017-8816.patch
https://github.com/curl/curl/commit/7f2a1df6f5fc598750b2c6f34465c8d924db28cc
https://curl.haxx.se/CVE-2017-8817.patch
https://github.com/curl/curl/commit/0b664ba968437715819bfe4c7ada5679d16ebbc3
https://curl.haxx.se/CVE-2017-8818.patch
https://github.com/curl/curl/commit/9b5e12a5491d2e6b68e0c88ca56f3a9ef9fba400
https://security.archlinux.org/CVE-2017-8816
https://security.archlinux.org/CVE-2017-8817
https://security.archlinux.org/CVE-2017-8818

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 866 bytes
Desc: OpenPGP digital signature
URL: <http://lists.manjaro.org/pipermail/manjaro-security/attachments/20171201/f72c132f/attachment.sig>


More information about the manjaro-security mailing list