Arch Linux Security Advisory ASA-201609-18
==========================================

Severity: Low
Date    : 20916-09-20
CVE-ID  : CVE-2016-7167
Package : lib32-curl
Type    : denial of service
Remote  : Yes
Link    : https://wiki.archlinux.org/index.php/CVE

Summary
=======

The package lib32-curl before version 7.50.3-1 is vulnerable to denial
of service.

Resolution
==========

Upgrade to 7.50.3-1.

# pacman -Syu "lib32-curl>=7.50.3-1"

The problem has been fixed upstream in version 7.50.3.

Workaround
==========

None.

Description
===========

The four libcurl functions `curl_escape()`, `curl_easy_escape()`,
`curl_unescape` and `curl_easy_unescape` perform string URL percent
escaping and unescaping. They accept custom string length inputs in
signed integer arguments. (The functions having names without "easy"
being the deprecated versions of the others.)

The provided string length arguments were not properly checked and due
to arithmetic in the functions, passing in the length 0xffffffff (2^32-1
or `UINT_MAX` or even just -1) would end up causing an allocation of
zero bytes of heap memory that curl would attempt to write gigabytes of
data into.

The use of 'int' for this input type in the API is of course unwise but
has remained so in order to maintain the API over the years.

We are not aware of any exploit of this flaw.

Impact
======

A remote attacker might cause a crash by providing a specially crafted
URL, leading to a denial of service.

References
==========

http://www.openwall.com/lists/oss-security/2016/09/14/1
https://curl.haxx.se/docs/adv_20160914.html
https://access.redhat.com/security/cve/CVE-2016-7167