Bug 1005634 - (CVE-2016-8616) VUL-1: CVE-2016-8616: curl: case insensitive password comparison
(CVE-2016-8616)
VUL-1: CVE-2016-8616: curl: case insensitive password comparison
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Minor
: ---
Assigned To: Security Team bot
Security Team bot
CVSSv2:SUSE:CVE-2016-8616:1.9:(AV:L/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-10-19 14:29 UTC by Johannes Segitz
Modified: 2019-05-29 07:20 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2016-10-19 14:29:29 UTC
case insensitive password comparison
====================================

Project cURL Security Advisory, November 2, 2016 -
[Permalink](https://curl.haxx.se/docs/adv_20161102B.html)

VULNERABILITY
-------------

When re-using a connection, curl was doing case insensitive comparisons of
user name and password with the existing connections.

This means that if an unused connection with proper credentials exists for a
protocol that has connection-scoped credentials, an attacker can cause that
connection to be reused if s/he knows the case-insensitive version of the
correct password.

We are not aware of any exploit of this flaw.

INFO
----

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2016-XXXX to this issue.

AFFECTED VERSIONS
-----------------

This flaw exists in the following curl versions.

- Affected versions: curl 7.7 to and including 7.50.3
- Not affected versions: curl < 7.7 and curl >= 7.51.0

libcurl is used by many applications, but not always advertised as such!

THE SOLUTION
------------

In version 7.51.0, these functions will deny negative string lengths from
being used.

A [patch for CVE-2016-XXXX](https://curl.haxx.se/s3c/B.patch) is
available.

RECOMMENDATIONS
---------------

We suggest you take one of the following actions immediately, in order of
preference:

  A - Upgrade curl and libcurl to version 7.51.0

  B - Apply the patch to your version and rebuild

TIME LINE
---------

It was first reported to the curl project on September 23 by Cure53.

We contacted distros@openwall on October 19.

curl 7.51.0 was released on November 2 2016, coordinated with the publication
of this advisory.

CREDITS
-------

This vulnerability was found during a Secure Open Source audit performed by
Cure53.
Comment 1 Johannes Segitz 2016-10-19 14:29:41 UTC
From: Daniel Stenberg
We intend to publish the advisories, the patches and announce the new
release (7.51.0) with all of these problems fixed on November 2nd.

CRD: 2016-11-02
Comment 2 Swamp Workflow Management 2016-10-19 22:03:38 UTC
bugbot adjusting priority
Comment 9 Swamp Workflow Management 2016-11-02 15:08:12 UTC
SUSE-SU-2016:2699-1: An update that fixes 11 vulnerabilities is now available.

Category: security (important)
Bug References: 1005633,1005634,1005635,1005637,1005638,1005640,1005642,1005643,1005645,1005646,998760
CVE References: CVE-2016-7167,CVE-2016-8615,CVE-2016-8616,CVE-2016-8617,CVE-2016-8618,CVE-2016-8619,CVE-2016-8620,CVE-2016-8621,CVE-2016-8622,CVE-2016-8623,CVE-2016-8624
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    curl-7.37.0-31.1
SUSE Linux Enterprise Server 12-SP1 (src):    curl-7.37.0-31.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    curl-7.37.0-31.1
Comment 10 Swamp Workflow Management 2016-11-02 15:10:10 UTC
SUSE-SU-2016:2700-1: An update that fixes 13 vulnerabilities is now available.

Category: security (important)
Bug References: 1005633,1005634,1005635,1005637,1005638,1005642,1005645,1005646,997420,998760
CVE References: CVE-2016-5420,CVE-2016-7141,CVE-2016-7167,CVE-2016-8615,CVE-2016-8616,CVE-2016-8617,CVE-2016-8618,CVE-2016-8619,CVE-2016-8620,CVE-2016-8621,CVE-2016-8622,CVE-2016-8623,CVE-2016-8624
Sources used:
SUSE Studio Onsite 1.3 (src):    curl-7.19.7-1.20.47.2
Comment 11 Swamp Workflow Management 2016-11-03 14:09:03 UTC
SUSE-SU-2016:2714-1: An update that fixes 11 vulnerabilities is now available.

Category: security (important)
Bug References: 1005633,1005634,1005635,1005637,1005638,1005642,1005645,1005646,998760
CVE References: CVE-2016-7167,CVE-2016-8615,CVE-2016-8616,CVE-2016-8617,CVE-2016-8618,CVE-2016-8619,CVE-2016-8620,CVE-2016-8621,CVE-2016-8622,CVE-2016-8623,CVE-2016-8624
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    curl-7.19.7-1.64.1
SUSE Linux Enterprise Server 11-SP4 (src):    curl-7.19.7-1.64.1
SUSE Linux Enterprise Server 11-SECURITY (src):    curl-openssl1-7.19.7-1.64.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    curl-7.19.7-1.64.1
Comment 12 Swamp Workflow Management 2016-11-04 10:07:17 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2016-11-18.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63187
Comment 13 Swamp Workflow Management 2016-11-10 16:07:05 UTC
openSUSE-SU-2016:2768-1: An update that fixes 11 vulnerabilities is now available.

Category: security (important)
Bug References: 1005633,1005634,1005635,1005637,1005638,1005640,1005642,1005643,1005645,1005646,998760
CVE References: CVE-2016-7167,CVE-2016-8615,CVE-2016-8616,CVE-2016-8617,CVE-2016-8618,CVE-2016-8619,CVE-2016-8620,CVE-2016-8621,CVE-2016-8622,CVE-2016-8623,CVE-2016-8624
Sources used:
openSUSE Leap 42.1 (src):    curl-7.37.0-16.1
Comment 14 Sebastian Krahmer 2016-11-14 12:59:57 UTC
released