Subject: [ASA-201701-7] libcurl-compat: multiple issues Arch Linux Security Advisory ASA-201701-7 ========================================= Severity: Medium Date : 2017-01-03 CVE-ID : CVE-2016-9586 CVE-2016-9594 Package : libcurl-compat Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-113 Summary ======= The package libcurl-compat before version 7.52.1-1 is vulnerable to multiple issues including arbitrary code execution and incorrect calculation. Resolution ========== Upgrade to 7.52.1-1. # pacman -Syu "libcurl-compat>=7.52.1-1" The problems have been fixed upstream in version 7.52.1. Workaround ========== None. Description =========== - CVE-2016-9586 (arbitrary code execution) libcurl's implementation of the printf() functions triggers a buffer overflow when doing a large floating point output. The bug occurs when the conversion outputs more than 255 bytes. The flaw happens because the floating point conversion is using system functions without the correct boundary checks. The functions have been documented as deprecated for a long time and users are discouraged from using them in "new programs" as they are planned to get removed at a future point. But as the functions are present and there's nothing preventing users from using them, we expect there to be a certain amount of existing users in the wild. If there are any application that accepts a format string from the outside without necessary input filtering, it could allow remote attacks. - CVE-2016-9594 (incorrect calculation) libcurl's (new) internal function that returns a good 32bit random value was implemented poorly and overwrote the pointer instead of writing the value into the buffer the pointer pointed to. This random value is used to generate nonces for Digest and NTLM authentication, for generating boundary strings in HTTP formposts and more. Having a weak or virtually non-existent random there makes these operations vulnerable. This function has been introduced in 7.52.0 Impact ====== A remote attacker is able to execute arbitrary code on a target machine by sending crafted data to the server. In addition, the nonces generated by libcurl 7.52.0 were not truly random, which allowed for an attacker to derive sensitive information (e.g., session keys). References ========== https://bugs.archlinux.org/task/52247 https://curl.haxx.se/docs/adv_20161221A.html https://curl.haxx.se/docs/adv_20161223.html https://security.archlinux.org/CVE-2016-9586 https://security.archlinux.org/CVE-2016-9594