Bug 1005640 (CVE-2016-8620)

Summary: VUL-0: CVE-2016-8620: curl: glob parser write/read out of bounds
Product: [Novell Products] SUSE Security Incidents Reporter: Johannes Segitz <jsegitz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: astieger, krahmer, vcizek
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: CVSSv2:SUSE:CVE-2016-8620:1.9:(AV:L/AC:M/Au:N/C:N/I:N/A:P) CVSSv2:RedHat:CVE-2016-8620:5.8:(AV:N/AC:M/Au:N/C:P/I:P/A:N) CVSSv3:RedHat:CVE-2016-8620:6.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) CVSSv2:NVD:CVE-2016-8620:7.5:(AV:N/AC:L/Au:N/C:P/I:P/A:P) CVSSv3:NVD:CVE-2016-8620:9.8:(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Johannes Segitz 2016-10-19 14:38:13 UTC
glob parser write/read out of bounds
====================================

Project cURL Security Advisory, November 2, 2016 -
[Permalink](https://curl.haxx.se/docs/adv_20161102F.html)

VULNERABILITY
-------------

The curl tool's "globbing" feature allows a user to specify a numerical range
through which curl will iterate. It is typically specified as [1-5],
specifying the first and the last numbers in the range. Or with [a-z], using
letters.

1. The curl code for parsing the second *unsigned* number did not check for a
leading minus character, which allowed a user to specify `[1--1]` with no
complaints and have the latter `-1` number get turned into the largest
unsigned long value the system can handle. This would ultimately cause curl to
write outside the dedicated malloced buffer after no less than 100,000
iterations, since it would have room for 5 digits but not 6.

2. When the range is specified with letters, and the ending letter is left out
`[L-]`, the code would still advance its read pointer 5 bytes even if the
string was just 4 bytes and end up reading outside the given buffer.

This flaw exists only in the curl tool, not in the libcurl library.

We are not aware of any exploit of this flaw.

INFO
----

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2016-XXXX to this issue.

AFFECTED VERSIONS
-----------------

This flaw exists in the following curl versions.

- Affected versions: curl 7.34.0 to and including 7.50.3
- Not affected versions: curl < 7.34.0 and curl >= 7.51.0

libcurl is used by many applications, but not always advertised as such!

THE SOLUTION
------------

In version 7.51.0, the function reading data will consider reading a zero size
to be an error and bail out.

A [patch for CVE-2016-XXXX](https://curl.haxx.se/s3c/F.patch) is available.

RECOMMENDATIONS
---------------

We suggest you take one of the following actions immediately, in order of
preference:

  A - Upgrade curl and libcurl to version 7.51.0

  B - Apply the patch to your version and rebuild

  C - Switch off globbing or make sure you have all ranges in use verified!

TIME LINE
---------

It was first reported to the curl project on October 2 by Lu§t Nguy­n.

We contacted distros@openwall on October 19.

curl 7.51.0 was released on November 2 2016, coordinated with the publication
of this advisory.

CREDITS
-------

Thanks to Lu§t Nguy­n.
Comment 1 Johannes Segitz 2016-10-19 14:38:32 UTC
From: Daniel Stenberg
We intend to publish the advisories, the patches and announce the new
release (7.51.0) with all of these problems fixed on November 2nd.

CRD: 2016-11-02

> SLE 12 only
Comment 2 Swamp Workflow Management 2016-10-19 22:04:32 UTC
bugbot adjusting priority
Comment 6 Swamp Workflow Management 2016-11-02 15:08:49 UTC
SUSE-SU-2016:2699-1: An update that fixes 11 vulnerabilities is now available.

Category: security (important)
Bug References: 1005633,1005634,1005635,1005637,1005638,1005640,1005642,1005643,1005645,1005646,998760
CVE References: CVE-2016-7167,CVE-2016-8615,CVE-2016-8616,CVE-2016-8617,CVE-2016-8618,CVE-2016-8619,CVE-2016-8620,CVE-2016-8621,CVE-2016-8622,CVE-2016-8623,CVE-2016-8624
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    curl-7.37.0-31.1
SUSE Linux Enterprise Server 12-SP1 (src):    curl-7.37.0-31.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    curl-7.37.0-31.1
Comment 7 Swamp Workflow Management 2016-11-10 16:07:39 UTC
openSUSE-SU-2016:2768-1: An update that fixes 11 vulnerabilities is now available.

Category: security (important)
Bug References: 1005633,1005634,1005635,1005637,1005638,1005640,1005642,1005643,1005645,1005646,998760
CVE References: CVE-2016-7167,CVE-2016-8615,CVE-2016-8616,CVE-2016-8617,CVE-2016-8618,CVE-2016-8619,CVE-2016-8620,CVE-2016-8621,CVE-2016-8622,CVE-2016-8623,CVE-2016-8624
Sources used:
openSUSE Leap 42.1 (src):    curl-7.37.0-16.1
Comment 8 Marcus Meissner 2016-12-16 16:15:37 UTC
released