Subject: [ASA-201711-38] lib32-libcurl-compat: multiple issues Arch Linux Security Advisory ASA-201711-38 ========================================== Severity: High Date : 2017-11-30 CVE-ID : CVE-2017-8816 CVE-2017-8817 CVE-2017-8818 Package : lib32-libcurl-compat Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-522 Summary ======= The package lib32-libcurl-compat before version 7.57.0-1 is vulnerable to multiple issues including arbitrary code execution and information disclosure. Resolution ========== Upgrade to 7.57.0-1. # pacman -Syu "lib32-libcurl-compat>=7.57.0-1" The problems have been fixed upstream in version 7.57.0. Workaround ========== None. Description =========== - CVE-2017-8816 (arbitrary code execution) A buffer overrun flaw has been found in libcurl > 7.15.4 and < 7.57.0, in the NTLM authentication code. The internal function `Curl_ntlm_core_mk_ntlmv2_hash` sums up the lengths of the user name + password (= SUM) and multiplies the sum by two (= SIZE) to figure out how large storage to allocate from the heap. The SUM value is subsequently used to iterate over the input and generate output into the storage buffer. On systems with a 32 bit `size_t`, the math to calculate SIZE triggers an integer overflow when the combined lengths of the user name and password is larger than 2GB (2^31 bytes). This integer overflow usually causes a very small buffer to actually get allocated instead of the intended very huge one, making the use of that buffer end up in a buffer overrun. This is only an issue on 32 bit systems. It also requires the user and password fields to use more than 2GB of memory combined, which in itself should be rare. - CVE-2017-8817 (information disclosure) A read out of bounds flaw has been found in the FTP wildcard function of libcurl >= 7.21.0 and < 7.57.0. libcurl's FTP wildcard matching feature, which is enabled with the `CURLOPT_WILDCARDMATCH` option can use a built-in wildcard function or a user provided one. The built-in wildcard function has a flaw that makes it not detect the end of the pattern string if it ends with an open bracket (`[`) but instead it will continue reading the heap beyond the end of the URL buffer that holds the wildcard. For applications that use HTTP(S) URLs, allow libcurl to handle redirects and have FTP wildcards enabled, this flaw can be triggered by malicious servers that can redirect clients to a URL using such a wildcard pattern. - CVE-2017-8818 (arbitrary code execution) An out-of-bounds flaw has been found in the SSL related code of libcurl >= 7.56.0 and < 7.57.0. When allocating memory for a connection (the internal struct called connectdata), a certain amount of memory is allocated at the end of the struct to be used for SSL related structs. Those structs are used by the particular SSL library libcurl is built to use. The application can also tell libcurl which specific SSL library to use if it was built to support more than one. The math used to calculate the extra memory amount necessary for the SSL library was wrong on 32 bit systems, which made the allocated memory too small by 4 bytes. The last struct member of the last object within the memory area could then be outside of what was allocated. Accessing that member could lead to a crash or other undefined behaviors depending on what memory that is present there and how the particular SSL library decides to act on that memory content. Specifically the vulnerability is present if libcurl was built so that sizeof(long long *) < sizeof(long long) which as far as we are aware only happens in 32-bit builds. Impact ====== A remote attacker is able to crash the application, possibly disclose sensitive information or execute arbitrary code on the affected host. References ========== https://curl.haxx.se/docs/adv_2017-11e7.html https://curl.haxx.se/docs/adv_2017-ae72.html https://curl.haxx.se/docs/adv_2017-af0a.html https://curl.haxx.se/CVE-2017-8816.patch https://github.com/curl/curl/commit/7f2a1df6f5fc598750b2c6f34465c8d924db28cc https://curl.haxx.se/CVE-2017-8817.patch https://github.com/curl/curl/commit/0b664ba968437715819bfe4c7ada5679d16ebbc3 https://curl.haxx.se/CVE-2017-8818.patch https://github.com/curl/curl/commit/9b5e12a5491d2e6b68e0c88ca56f3a9ef9fba400 https://security.archlinux.org/CVE-2017-8816 https://security.archlinux.org/CVE-2017-8817 https://security.archlinux.org/CVE-2017-8818