Bug 1015332 - (CVE-2016-9586) VUL-1: CVE-2016-9586: curl: libcurl printf floating point buffer overflow
(CVE-2016-9586)
VUL-1: CVE-2016-9586: curl: libcurl printf floating point buffer overflow
Status: RESOLVED FIXED
: 1016653 (view as bug list)
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Normal
: ---
Assigned To: Security Team bot
Security Team bot
CVSSv2:SUSE:CVE-2016-9586:1.2:(AV:L/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-12-13 13:38 UTC by Marcus Meissner
Modified: 2020-06-16 01:45 UTC (History)
7 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
Updated patch (9.20 KB, patch)
2016-12-15 08:42 UTC, Johannes Segitz
Details | Diff
Patches for SLE-10, 11 and 12 (10.00 KB, application/x-tar)
2017-03-21 10:55 UTC, Pedro Monreal Gonzalez
Details
Updated patches for SLE-10, 11 and 12. (20.00 KB, application/x-tar)
2017-04-06 12:30 UTC, Pedro Monreal Gonzalez
Details

Note You need to log in before you can comment on or make changes to this bug.
Comment 4 Johannes Segitz 2016-12-15 08:42:31 UTC
Created attachment 706559 [details]
Updated patch

Seth Arnold:
Friends, an off-list discussion with Daniel lead to him refreshing the
patch (same url) to increase the buffer size to 326 bytes to handle
-DBL_MAX as possible input.
Comment 5 Marcus Meissner 2016-12-21 07:45:37 UTC
*** Bug 1016653 has been marked as a duplicate of this bug. ***
Comment 6 Marcus Meissner 2016-12-21 07:46:28 UTC
now public

printf floating point buffer overflow
=====================================

Project curl Security Advisory, December 21, 2016 -
[Permalink](https://curl.haxx.se/docs/adv_20161221A.html)

VULNERABILITY
-------------

libcurl's implementation of the printf() functions triggers a buffer overflow
when doing a large floating point output. The bug occurs when the conversion
outputs more than 255 bytes.

The flaw happens because the floating point conversion is using system
functions without the correct boundary checks.

The functions have been documented as deprecated for a long time and users are
discouraged from using them in "new programs" as they are planned to get
removed at a future point. But as the functions are present and there's
nothing preventing users from using them, we expect there to be a certain
amount of existing users in the wild.

If there are any application that accepts a format string from the outside
without necessary input filtering, it could allow remote attacks.

This flaw does not exist in the command line tool.

We are not aware of any exploit of this flaw.

INFO
----

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2016-9586 to this issue.

AFFECTED VERSIONS
-----------------

This flaw exists in the following libcurl versions.

- Affected versions: libcurl 7.1 to and including 7.51.0
- Not affected versions: libcurl >= 7.52.0

libcurl is used by many applications, but not always advertised as such!

THE SOLUTION
------------

In version 7.52.0, the conversion is limited to never generate a larger output
than what fits in the fixed size buffer.

A [patch for CVE-2016-9586](https://curl.haxx.se/CVE-2016-9586.patch) is
available.

RECOMMENDATIONS
---------------

We suggest you take one of the following actions immediately, in order of
preference:

  A - Upgrade curl and libcurl to version 7.52.0

  B - Apply the patch to your version and rebuild

  C - Do not use the `curl_mprintf()` functions

TIME LINE
---------

It was first reported to the curl project on November 8 by Daniel Stenberg.

We contacted distros@openwall on December 13.

curl 7.52.0 was released on December 21 2016, coordinated with the publication
of this advisory.

CREDITS
-------

Reported and patched by Daniel Stenberg.

-- 

  / daniel.haxx.se
Comment 8 Pedro Monreal Gonzalez 2017-03-21 10:55:35 UTC
Created attachment 718158 [details]
Patches for SLE-10, 11 and 12

CVE corrected upstream in versions libcurl >= 7.52.0.
Patches for SLE-10, 11 and 12:

Factory             7.53.1  Not affected                        #Request
Leap:42.2:Update    7.37.0  Comes from SLE-12:Update
Leap:42.1:Update    7.37.0  Comes from SLE-12:Update
SLE-12:Update       7.37.0  curl-7.37-CVE-2016-9586.patch       #129639
SLE-11-SP3:Update   7.19.7  curl-7.19-CVE-2016-9586.patch       #129626
SLE-11-SP1:Update   7.19.7  curl-7.19-CVE-2016-9586.patch       #129641
SLE-10-SP3:Update   7.15.1  curl-7.19-CVE-2016-9586.patch       #129628

Added patch for version 7.37.0  curl-7.37-CVE-2016-9586.patch
Added patch for versions 7.19.7 and 7.15.1 curl-7.19-CVE-2016-9586.patch

Reassigning bug to the security-team.
Comment 10 Swamp Workflow Management 2017-03-24 08:38:30 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2017-04-07.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63501
Comment 12 Pedro Monreal Gonzalez 2017-04-06 12:30:20 UTC
Created attachment 720102 [details]
Updated patches for SLE-10, 11 and 12.

After revision, the patch for SUSE:SLE-10-SP3 has been updated and this bug has been included in the following requests:

SUSE:SLE-12:Update      7.37.0  curl-7.37-CVE-2016-9586.patch   mr#130410
SUSE:SLE-11-SP3:Update  7.19.7  curl-7.19-CVE-2016-9586.patch   sr#130452
SUSE:SLE-11-SP1:Update  7.19.7  curl-7.19-CVE-2016-9586.patch   sr#130459
SUSE:SLE-10-SP3:Update  7.15.1  curl-7.15-CVE-2016-9586.patch   sr#130442

This comment updates Comment#8.

Reassigning bug to the security-team.
Comment 14 Swamp Workflow Management 2017-04-18 13:11:45 UTC
SUSE-SU-2017:1042-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1015332,1027712,1032309
CVE References: CVE-2016-9586,CVE-2017-7407
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    curl-7.37.0-36.1
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    curl-7.37.0-36.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    curl-7.37.0-36.1
SUSE Linux Enterprise Server 12-SP2 (src):    curl-7.37.0-36.1
SUSE Linux Enterprise Server 12-SP1 (src):    curl-7.37.0-36.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    curl-7.37.0-36.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    curl-7.37.0-36.1
OpenStack Cloud Magnum Orchestration 7 (src):    curl-7.37.0-36.1
Comment 15 Swamp Workflow Management 2017-04-18 13:12:35 UTC
SUSE-SU-2017:1043-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1015332,1032309
CVE References: CVE-2016-9586,CVE-2017-7407
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    curl-7.19.7-1.69.1
SUSE Linux Enterprise Server 11-SP4 (src):    curl-7.19.7-1.69.1
SUSE Linux Enterprise Server 11-SECURITY (src):    curl-openssl1-7.19.7-1.69.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    curl-7.19.7-1.69.1
Comment 16 Swamp Workflow Management 2017-04-26 16:09:50 UTC
openSUSE-SU-2017:1105-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1015332,1027712,1032309
CVE References: CVE-2016-9586,CVE-2017-7407
Sources used:
openSUSE Leap 42.2 (src):    curl-7.37.0-16.3.1
openSUSE Leap 42.1 (src):    curl-7.37.0-19.1
Comment 17 Swamp Workflow Management 2017-04-26 19:12:59 UTC
SUSE-SU-2017:1117-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1015332,1032309
CVE References: CVE-2016-9586,CVE-2017-7407
Sources used:
SUSE Studio Onsite 1.3 (src):    curl-7.19.7-1.20.52.2
Comment 18 Marcus Meissner 2017-06-15 20:09:37 UTC
released
Comment 21 Swamp Workflow Management 2017-08-31 16:08:31 UTC
SUSE-SU-2017:2312-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1015332,1032309,1051644
CVE References: CVE-2016-9586,CVE-2017-1000100,CVE-2017-7407
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    curl-7.19.7-1.70.3.1
SUSE Linux Enterprise Server 11-SP4 (src):    curl-7.19.7-1.70.3.1
SUSE Linux Enterprise Server 11-SECURITY (src):    curl-openssl1-7.19.7-1.70.3.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    curl-7.19.7-1.70.3.1
Comment 25 Marcus Meissner 2019-06-12 06:43:33 UTC
.