CURL-CVE-2016-8618

Source
https://curl.se/docs/CVE-2016-8618.html
Import Source
https://curl.se/docs/CURL-CVE-2016-8618.json
JSON Data
https://api.osv.dev/v1/vulns/CURL-CVE-2016-8618
Aliases
Published
2016-11-02T08:00:00Z
Modified
2024-06-07T13:53:51Z
Summary
double free in curl_maprintf
Details

The libcurl API function called curl_maprintf() can be tricked into doing a double free due to an unsafe size_t multiplication, on systems using 32 bit size_t variables. The function is also used internally in numerous situations.

The function doubles an allocated memory area with realloc() and allows the size to wrap and become zero and when doing so realloc() returns NULL and frees the memory - in contrary to normal realloc() fails where it only returns NULL - causing libcurl to free the memory again in the error path.

Systems with 64 bit versions of the size_t type are not affected by this issue.

This behavior can be triggered using the publicly exposed function.

References
Credits
    • Cure53 - FINDER
    • Daniel Stenberg - REMEDIATION_DEVELOPER

Affected packages

Git / github.com/curl/curl.git

Affected ranges

Type
SEMVER
Events
Introduced
5.4
Fixed
7.51.0
Type
GIT
Repo
https://github.com/curl/curl.git
Events

Affected versions

5.*

5.10
5.11
5.4
5.5
5.5.1
5.7
5.7.1
5.8
5.9
5.9.1

6.*

6.0
6.1
6.2
6.3
6.3.1
6.4
6.5
6.5.1
6.5.2

7.*

7.1
7.1.1
7.10
7.10.1
7.10.2
7.10.3
7.10.4
7.10.5
7.10.6
7.10.7
7.10.8
7.11.0
7.11.1
7.11.2
7.12.0
7.12.1
7.12.2
7.12.3
7.13.0
7.13.1
7.13.2
7.14.0
7.14.1
7.15.0
7.15.1
7.15.2
7.15.3
7.15.4
7.15.5
7.16.0
7.16.1
7.16.2
7.16.3
7.16.4
7.17.0
7.17.1
7.18.0
7.18.1
7.18.2
7.19.0
7.19.1
7.19.2
7.19.3
7.19.4
7.19.5
7.19.6
7.19.7
7.2
7.2.1
7.20.0
7.20.1
7.21.0
7.21.1
7.21.2
7.21.3
7.21.4
7.21.5
7.21.6
7.21.7
7.22.0
7.23.0
7.23.1
7.24.0
7.25.0
7.26.0
7.27.0
7.28.0
7.28.1
7.29.0
7.3
7.30.0
7.31.0
7.32.0
7.33.0
7.34.0
7.35.0
7.36.0
7.37.0
7.37.1
7.38.0
7.39.0
7.4
7.4.1
7.4.2
7.40.0
7.41.0
7.42.0
7.42.1
7.43.0
7.44.0
7.45.0
7.46.0
7.47.0
7.47.1
7.48.0
7.49.0
7.49.1
7.5
7.5.1
7.5.2
7.50.0
7.50.1
7.50.2
7.50.3
7.6
7.6.1
7.7
7.7.1
7.7.2
7.7.3
7.8
7.8.1
7.9
7.9.1
7.9.2
7.9.3
7.9.4
7.9.5
7.9.6
7.9.7
7.9.8