[manjaro-security] [arch-security] [ASA-201609-18] lib32-curl: denial of service

Jelle van der Waa jelle at archlinux.org
Tue Sep 20 21:14:51 CEST 2016

Arch Linux Security Advisory ASA-201609-18

Severity: Low
Date    : 20916-09-20
CVE-ID  : CVE-2016-7167
Package : lib32-curl
Type    : denial of service
Remote  : Yes
Link    : https://wiki.archlinux.org/index.php/CVE


The package lib32-curl before version 7.50.3-1 is vulnerable to denial
of service.


Upgrade to 7.50.3-1.

# pacman -Syu "lib32-curl>=7.50.3-1"

The problem has been fixed upstream in version 7.50.3.




The four libcurl functions `curl_escape()`, `curl_easy_escape()`,
`curl_unescape` and `curl_easy_unescape` perform string URL percent
escaping and unescaping. They accept custom string length inputs in
signed integer arguments. (The functions having names without "easy"
being the deprecated versions of the others.)

The provided string length arguments were not properly checked and due
to arithmetic in the functions, passing in the length 0xffffffff (2^32-1
or `UINT_MAX` or even just -1) would end up causing an allocation of
zero bytes of heap memory that curl would attempt to write gigabytes of
data into.

The use of 'int' for this input type in the API is of course unwise but
has remained so in order to maintain the API over the years.

We are not aware of any exploit of this flaw.


A remote attacker might cause a crash by providing a specially crafted
URL, leading to a denial of service.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: not available
URL: <http://lists.manjaro.org/pipermail/manjaro-security/attachments/20160920/666958e6/attachment.pgp>

More information about the manjaro-security mailing list