CURL-CVE-2016-8617
- Source
- https://curl.se/docs/CVE-2016-8617.html
- Import Source
- https://curl.se/docs/CURL-CVE-2016-8617.json
- JSON Data
- https://api.osv.dev/v1/vulns/CURL-CVE-2016-8617
- Aliases
- Published
- 2016-11-02T08:00:00Z
- Modified
- 2024-06-07T13:53:51Z
- Summary
- OOB write via unchecked multiplication
- Details
-
In libcurl's base64 encode function, the output buffer is allocated as follows without any checks on
insize:malloc( insize * 4 / 3 + 4 )On systems with 32-bit addresses in userspace (e.g. x86, ARM, x32), the multiplication in the expression wraps around if
insizeis at least 1GB of data. If this happens, an undersized output buffer is allocated, but the full result is written, thus causing the memory behind the output buffer to be overwritten.If a username is set directly via
CURLOPT_USERNAME(or curl's-u, --useroption), this vulnerability can be triggered. The name has to be at least 512MB big in a 32bit system.Systems with 64 bit versions of the
size_ttype are not affected by this issue. - References
-
- Credits
-
-
- Cure53 - FINDER
-
- Daniel Stenberg - REMEDIATION_DEVELOPER
-
Affected packages
Git / github.com/curl/curl.git
Affected ranges
- Type
- SEMVER
- Events
-
Introduced7.8.1Fixed7.51.0
- Type
- GIT
- Repo
- https://github.com/curl/curl.git
- Events
Affected versions
7.*
7.10
7.10.1
7.10.2
7.10.3
7.10.4
7.10.5
7.10.6
7.10.7
7.10.8
7.11.0
7.11.1
7.11.2
7.12.0
7.12.1
7.12.2
7.12.3
7.13.0
7.13.1
7.13.2
7.14.0
7.14.1
7.15.0
7.15.1
7.15.2
7.15.3
7.15.4
7.15.5
7.16.0
7.16.1
7.16.2
7.16.3
7.16.4
7.17.0
7.17.1
7.18.0
7.18.1
7.18.2
7.19.0
7.19.1
7.19.2
7.19.3
7.19.4
7.19.5
7.19.6
7.19.7
7.20.0
7.20.1
7.21.0
7.21.1
7.21.2
7.21.3
7.21.4
7.21.5
7.21.6
7.21.7
7.22.0
7.23.0
7.23.1
7.24.0
7.25.0
7.26.0
7.27.0
7.28.0
7.28.1
7.29.0
7.30.0
7.31.0
7.32.0
7.33.0
7.34.0
7.35.0
7.36.0
7.37.0
7.37.1
7.38.0
7.39.0
7.40.0
7.41.0
7.42.0
7.42.1
7.43.0
7.44.0
7.45.0
7.46.0
7.47.0
7.47.1
7.48.0
7.49.0
7.49.1
7.50.0
7.50.1
7.50.2
7.50.3
7.8.1
7.9
7.9.1
7.9.2
7.9.3
7.9.4
7.9.5
7.9.6
7.9.7
7.9.8