CVE-2016-8618

Source
Severity High
Remote Yes
Type Arbitrary code execution
Description
The libcurl API function called curl_maprintf() can be tricked into doing a double-free due to an unsafe size_t multiplication, on systems using 32 bit size_t variables. The function is also used internally in numerous situations.

The function doubles an allocated memory area with realloc() and allows the size to wrap and become zero and when doing so realloc() returns NULL and frees the memory - in contrary to normal realloc() fails where it only returns NULL - causing libcurl to free the memory again in the error path.

This behavior is triggerable using the publicly exposed function. Systems with 64 bit versions of the size_t type are not affected by this issue.
Group Package Affected Fixed Severity Status Ticket
AVG-66 lib32-libcurl-gnutls 7.50.3-1 7.51.0-1 High Fixed
AVG-63 lib32-libcurl-compat 7.50.3-1 7.51.0-1 High Fixed
AVG-61 lib32-curl 7.50.3-1 7.51.0-1 High Fixed
Date Advisory Group Package Severity Description
02 Nov 2016 ASA-201611-5 AVG-63 lib32-libcurl-compat High multiple issues
02 Nov 2016 ASA-201611-4 AVG-61 lib32-curl High multiple issues
03 Nov 2016 ASA-201611-10 AVG-66 lib32-libcurl-gnutls High multiple issues
References
https://curl.haxx.se/docs/adv_20161102D.html