Advisories ยป MGASA-2018-0053

Updated curl packages fix security vulnerability

Publication date: 03 Jan 2018
Type: security
Affected Mageia releases : 5
CVE: CVE-2016-8615 , CVE-2016-8616 , CVE-2016-8617 , CVE-2016-8618 , CVE-2016-8619 , CVE-2016-8620 , CVE-2016-8621 , CVE-2016-8622 , CVE-2016-8623 , CVE-2016-8624 , CVE-2016-9586 , CVE-2017-7407 , CVE-2017-8816 , CVE-2017-8817 , CVE-2017-1000100 , CVE-2017-1000101 , CVE-2017-1000254 , CVE-2017-1000257


If cookie state is written into a cookie jar file that is later read back and
used for subsequent requests, a malicious HTTP server can inject new cookies
for arbitrary domains into said cookie jar. The issue pertains to the function
that loads cookies into memory, which reads the specified file into a
fixed-size buffer in a line-by-line manner using the fgets() function. If an
invocation of fgets() cannot read the whole line into the destination buffer
due to it being too small, it truncates the output. This way, a very long
cookie (name + value) sent by a malicious server would be stored in the file
and subsequently that cookie could be read partially and crafted correctly, it
could be treated as a different cookie for another server (CVE-2016-8615).

When re-using a connection, curl was doing case insensitive comparisons of
user name and password with the existing connections. This means that if an
unused connection with proper credentials exists for a protocol that has
connection-scoped credentials, an attacker can cause that connection to be
reused if s/he knows the case-insensitive version of the correct password

In libcurl's base64 encode function, the output buffer is allocated without
any checks on a variable used to determine its size. On systems with 32-bit
addresses in userspace, the multiplication in the expression wraps around if
the size is too large. If this happens, an undersized output buffer will be
allocated, but the full result will be written, thus causing the memory behind
the output buffer to be overwritten. If a username is set directly via
CURLOPT_USERNAME (or curl's -u, --user option), this vulnerability can be
triggered. The name has to be at least 512MB big in a 32bit system. Systems
with 64 bit versions of the size_t type are not affected by this issue

The libcurl API function called curl_maprintf() can be tricked into doing a
double-free due to an unsafe size_t multiplication, on systems using 32 bit
size_t variables. The function is also used internallty in numerous
situations. The function doubles an allocated memory area with realloc() and
allows the size to wrap and become zero and when doing so realloc() returns
NULL and frees the memory - in contrary to normal realloc() fails where it
only returns NULL - causing libcurl to free the memory again in the error
path. Systems with 64 bit versions of the size_t type are not affected by this
issue. This behavior is triggable using the publicly exposed function

In curl's implementation of the Kerberos authentication mechanism, the
function read_data() in security.c is used to fill the necessary krb5
structures. When reading one of the length fields from the socket, it fails to
ensure that the length parameter passed to realloc() is not set to 0. This
would lead to realloc() getting called with a zero size and when doing so
realloc() returns NULL and frees the memory - in contrary to normal realloc()
fails where it only returns NULL - causing libcurl to free the memory again in
the error path. This flaw could be triggered by a malicious or just otherwise
ill-behaving server (CVE-2016-8619).

The curl tool's "globbing" feature allows a user to specify a numerical range
through which curl will iterate. The curl code for parsing the second unsigned
number did not check for a leading minus character, which allowed a user to
specify [1--1] with no complaints and have the latter -1 number get turned
into the largest unsigned long value the system can handle. This would
ultimately cause curl to write outside the dedicated malloced buffer after no
less than 100,000 iterations, since it would have room for 5 digits but not 6.
When the range is specified with letters, and the ending letter is left out
[L-], the code would still advance its read pointer 5 bytes even if the string
was just 4 bytes and end up reading outside the given buffer. This flaw exists
only in the curl tool, not in the libcurl library (CVE-2016-8620).

The curl_getdate date parser function would parse either a string with HH:MM
or HH:MM:SS. If instead the piece of time that was sent in had the final digit
cut off, thus ending with a single-digit, the date parser code would advance
its read pointer one byte too much and end up reading out of bounds

The URL percent-encoding decode function in libcurl is called
curl_easy_unescape. Internally, even if this function would be made to
allocate a unscape destination buffer larger than 2GB, it would return that
new length in a signed 32 bit integer variable, thus the length would get
either just truncated or both truncated and turned negative. That could then
lead to libcurl writing outside of its heap based buffer. This can be
triggered by a user on a 64bit system if the user can send in a custom (very
large) URL to a libcurl using program (CVE-2016-8622).

libcurl explicitly allows users to share cookies between multiple easy handles
that are concurrently employed by different threads. When cookies to be sent
to a server are collected, the matching function collects all cookies to send
and the cookie lock is released immediately afterwards. That funcion however
only returns a list with references back to the original strings for name,
value, path and so on. Therefore, if another thread quickly takes the lock and
frees one of the original cookie structs together with its strings, a
use-after-free can occur and lead to information disclosure. Another thread
can also replace the contents of the cookies from separate HTTP responses or
API calls (CVE-2016-8623).

curl doesn't parse the authority component of the URL correctly when the host
name part ends with a '#' character, and could instead be tricked into
connecting to a different host. This may have security implications if you for
example use a URL parser that follows the RFC to check for allowed domains
before using curl to request them (CVE-2016-8624).

libcurl's implementation of the printf() functions triggers a buffer overflow
when doing a large floating point output. The bug occurs when the conversion
outputs more than 255 bytes. The flaw happens because the floating point
conversion is using system functions without the correct boundary checks

There were two bugs in curl's parser for the command line option --write-out
(or -w for short) that would skip the end of string zero byte if the string
ended in a % (percent) or \ (backslash), and it would read beyond that buffer
in the heap memory and it could then potentially output pieces of that memory
to the terminal or the target file etc (CVE-2017-7407).

When doing a TFTP transfer and curl/libcurl is given a URL that contains a very
long file name (longer than about 515 bytes), the file name is truncated to fit
within the buffer boundaries, but the buffer size is still wrongly updated to
use the untruncated length. This too large value is then used in the sendto()
call, making curl attempt to send more data than what is actually put into the
buffer. The sendto() function will then read beyond the end of the heap based
buffer. A malicious HTTP(S) server could redirect a vulnerable libcurl-using
client to a crafted TFTP URL (if the client hasn't restricted which protocols
it allows redirects to) and trick it to send private memory contents to a
remote server over UDP. Limit curl's redirect protocols with --proto-redir and
libcurl's with CURLOPT_REDIR_PROTOCOLS (CVE-2017-1000100).

curl supports "globbing" of URLs, in which a user can pass a numerical range to
have the tool iterate over those numbers to do a sequence of transfers. In the
globbing function that parses the numerical range, there was an omission that
made curl read a byte beyond the end of the URL if given a carefully crafted,
or just wrongly written, URL. The URL is stored in a heap based buffer, so it
could then be made to wrongly read something else instead of crashing

libcurl contains a buffer overrun flaw in the NTLM authentication code

libcurl contains a read out of bounds flaw in the FTP wildcard function

libcurl may read outside of a heap allocated buffer when doing FTP

libcurl contains a buffer overrun flaw in the IMAP handler