Bug 1005634 – VUL-1: CVE-2016-8616: curl: case insensitive password comparison

Bug 1005634 - (CVE-2016-8616) VUL-1: CVE-2016-8616: curl: case insensitive password comparison

(CVE-2016-8616)
Summary:	VUL-1: CVE-2016-8616: curl: case insensitive password comparison

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P4 - Low Severity: Minor
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:	CVSSv2:SUSE:CVE-2016-8616:1.9:(AV:L/A...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2016-10-19 14:29 UTC by Johannes Segitz
Modified:	2019-05-29 07:20 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Johannes Segitz 2016-10-19 14:29:29 UTC

case insensitive password comparison
====================================

Project cURL Security Advisory, November 2, 2016 -
[Permalink](https://curl.haxx.se/docs/adv_20161102B.html)

VULNERABILITY
-------------

When re-using a connection, curl was doing case insensitive comparisons of
user name and password with the existing connections.

This means that if an unused connection with proper credentials exists for a
protocol that has connection-scoped credentials, an attacker can cause that
connection to be reused if s/he knows the case-insensitive version of the
correct password.

We are not aware of any exploit of this flaw.

INFO
----

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2016-XXXX to this issue.

AFFECTED VERSIONS
-----------------

This flaw exists in the following curl versions.

- Affected versions: curl 7.7 to and including 7.50.3
- Not affected versions: curl < 7.7 and curl >= 7.51.0

libcurl is used by many applications, but not always advertised as such!

THE SOLUTION
------------

In version 7.51.0, these functions will deny negative string lengths from
being used.

A [patch for CVE-2016-XXXX](https://curl.haxx.se/s3c/B.patch) is
available.

RECOMMENDATIONS
---------------

We suggest you take one of the following actions immediately, in order of
preference:

  A - Upgrade curl and libcurl to version 7.51.0

  B - Apply the patch to your version and rebuild

TIME LINE
---------

It was first reported to the curl project on September 23 by Cure53.

We contacted distros@openwall on October 19.

curl 7.51.0 was released on November 2 2016, coordinated with the publication
of this advisory.

CREDITS
-------

This vulnerability was found during a Secure Open Source audit performed by
Cure53.

Comment 1 Johannes Segitz 2016-10-19 14:29:41 UTC

From: Daniel Stenberg
We intend to publish the advisories, the patches and announce the new
release (7.51.0) with all of these problems fixed on November 2nd.

CRD: 2016-11-02

Comment 2 Swamp Workflow Management 2016-10-19 22:03:38 UTC

bugbot adjusting priority

Comment 9 Swamp Workflow Management 2016-11-02 15:08:12 UTC

SUSE-SU-2016:2699-1: An update that fixes 11 vulnerabilities is now available.

Category: security (important)
Bug References: 1005633,1005634,1005635,1005637,1005638,1005640,1005642,1005643,1005645,1005646,998760
CVE References: CVE-2016-7167,CVE-2016-8615,CVE-2016-8616,CVE-2016-8617,CVE-2016-8618,CVE-2016-8619,CVE-2016-8620,CVE-2016-8621,CVE-2016-8622,CVE-2016-8623,CVE-2016-8624
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    curl-7.37.0-31.1
SUSE Linux Enterprise Server 12-SP1 (src):    curl-7.37.0-31.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    curl-7.37.0-31.1

Comment 10 Swamp Workflow Management 2016-11-02 15:10:10 UTC

SUSE-SU-2016:2700-1: An update that fixes 13 vulnerabilities is now available.

Category: security (important)
Bug References: 1005633,1005634,1005635,1005637,1005638,1005642,1005645,1005646,997420,998760
CVE References: CVE-2016-5420,CVE-2016-7141,CVE-2016-7167,CVE-2016-8615,CVE-2016-8616,CVE-2016-8617,CVE-2016-8618,CVE-2016-8619,CVE-2016-8620,CVE-2016-8621,CVE-2016-8622,CVE-2016-8623,CVE-2016-8624
Sources used:
SUSE Studio Onsite 1.3 (src):    curl-7.19.7-1.20.47.2

Comment 11 Swamp Workflow Management 2016-11-03 14:09:03 UTC

SUSE-SU-2016:2714-1: An update that fixes 11 vulnerabilities is now available.

Category: security (important)
Bug References: 1005633,1005634,1005635,1005637,1005638,1005642,1005645,1005646,998760
CVE References: CVE-2016-7167,CVE-2016-8615,CVE-2016-8616,CVE-2016-8617,CVE-2016-8618,CVE-2016-8619,CVE-2016-8620,CVE-2016-8621,CVE-2016-8622,CVE-2016-8623,CVE-2016-8624
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    curl-7.19.7-1.64.1
SUSE Linux Enterprise Server 11-SP4 (src):    curl-7.19.7-1.64.1
SUSE Linux Enterprise Server 11-SECURITY (src):    curl-openssl1-7.19.7-1.64.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    curl-7.19.7-1.64.1

Comment 12 Swamp Workflow Management 2016-11-04 10:07:17 UTC

An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2016-11-18.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63187

Comment 13 Swamp Workflow Management 2016-11-10 16:07:05 UTC

openSUSE-SU-2016:2768-1: An update that fixes 11 vulnerabilities is now available.

Category: security (important)
Bug References: 1005633,1005634,1005635,1005637,1005638,1005640,1005642,1005643,1005645,1005646,998760
CVE References: CVE-2016-7167,CVE-2016-8615,CVE-2016-8616,CVE-2016-8617,CVE-2016-8618,CVE-2016-8619,CVE-2016-8620,CVE-2016-8621,CVE-2016-8622,CVE-2016-8623,CVE-2016-8624
Sources used:
openSUSE Leap 42.1 (src):    curl-7.37.0-16.1

Comment 14 Sebastian Krahmer 2016-11-14 12:59:57 UTC

released