CVE-2016-8622 Information
Description
The URL percent-encoding decode function in libcurl before 7.51.0 is called curl_easy_unescape. Internally even if this function would be made to allocate a unscape destination buffer larger than 2GB it would return that new length in a signed 32 bit integer variable thus the length would get either just truncated or both truncated and turned negative. That could then lead to libcurl writing outside of its heap based buffer.
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Reference
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
http://www.securityfocus.com/bid/94105
http://www.securitytracker.com/id/1037192
https://access.redhat.com/errata/RHSA-2018:2486
https://access.redhat.com/errata/RHSA-2018:3558
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8622
https://curl.haxx.se/docs/adv_20161102H.html
https://curl.haxx.se/docs/adv_20161102H.html
https://security.gentoo.org/glsa/201701-47
https://www.tenable.com/security/tns-2016-21
The
URL
percent-encoding
decode
function
in
libcurl
before
7.51.0
is
called
curl_easy_unescape.
Internally
even
if
this
function
would
be
made
to
allocate
a
unscape
destination
buffer
larger
than
2GB
it
would
return
that
new
length
in
a
signed
32
bit
integer
variable
thus
the
length
would
get
either
just
truncated
or
both
truncated
and
turned
negative.
That
could
then
lead
to
libcurl
writing
outside
of
its
heap
based
buffer.
cpe:2.3:a:haxx:libcurl::::::::
Attack Complexity
LOW
Privileges Required
NONE
User Interaction Required
NONE
Scope
NONE
Confidentiality Impact
UNCHANGED
Integrity Impact
HIGH
Availability Impact
HIGH
Base Score
HIGH
Base Severity
9.8
Share on: