CVE-2016-8619

Source
Severity High
Remote Yes
Type Arbitrary code execution
Description
In curl's implementation of the Kerberos authentication mechanism, the function read_data() in security.c is used to fill the necessary krb5 structures. When reading one of the length fields from the socket, it fails to ensure that the length parameter passed to realloc() is not set to 0.

This would lead to realloc() getting called with a zero size and when doing so realloc() returns NULL and frees the memory - in contrary to normal realloc() fails where it only returns NULL - causing libcurl to free the memory again in the error path.

This flaw could be triggered by a malicious or just otherwise ill-behaving server.
Group Package Affected Fixed Severity Status Ticket
AVG-66 lib32-libcurl-gnutls 7.50.3-1 7.51.0-1 High Fixed
AVG-65 libcurl-gnutls 7.50.3-1 7.51.0-1 High Fixed
AVG-63 lib32-libcurl-compat 7.50.3-1 7.51.0-1 High Fixed
AVG-62 libcurl-compat 7.50.3-1 7.51.0-1 High Fixed
AVG-61 lib32-curl 7.50.3-1 7.51.0-1 High Fixed
AVG-60 curl 7.50.3-1 7.51.0-1 High Fixed
Date Advisory Group Package Severity Description
03 Nov 2016 ASA-201611-9 AVG-65 libcurl-gnutls High multiple issues
03 Nov 2016 ASA-201611-8 AVG-62 libcurl-compat High multiple issues
03 Nov 2016 ASA-201611-7 AVG-60 curl High multiple issues
02 Nov 2016 ASA-201611-5 AVG-63 lib32-libcurl-compat High multiple issues
02 Nov 2016 ASA-201611-4 AVG-61 lib32-curl High multiple issues
03 Nov 2016 ASA-201611-10 AVG-66 lib32-libcurl-gnutls High multiple issues
References
https://curl.haxx.se/docs/adv_20161102E.html