CURL-CVE-2016-8622

See a problem?
Please try reporting it to the source first.
Source
https://curl.se/docs/CVE-2016-8622.html
Import Source
https://curl.se/docs/CURL-CVE-2016-8622.json
JSON Data
https://api.osv.dev/v1/vulns/CURL-CVE-2016-8622
Aliases
Published
2016-11-02T08:00:00Z
Modified
2024-01-25T02:42:46.665816Z
Summary
URL unescape heap overflow via integer truncation
Details

The URL percent-encoding decode function in libcurl is called curl_easy_unescape. Internally, even if this function would be made to allocate a destination buffer larger than 2GB, it would return that new length in a signed 32 bit integer variable, thus the length would get either just truncated or both truncated and turned negative. That could then lead to libcurl writing outside of its heap based buffer.

This can be triggered by a user on a 64bit system if the user can send in a custom (very large) URL to a libcurl using program.

References
Credits
    • Cure53 - FINDER
    • Daniel Stenberg - REMEDIATION_DEVELOPER

Affected packages

Git / github.com/curl/curl.git

Affected ranges

Type
SEMVER
Events
Introduced
7.24.0
Fixed
7.51.0
Type
GIT
Repo
https://github.com/curl/curl.git
Events
Introduced
75ca568fa1c19de4c5358fed246686de8467c238
Fixed
53e71e47d6b81650d26ec33a58d0dca24c7ffb2c

Affected versions

7.*

7.24.0
7.25.0
7.26.0
7.27.0
7.28.0
7.28.1
7.29.0
7.30.0
7.31.0
7.32.0
7.33.0
7.34.0
7.35.0
7.36.0
7.37.0
7.37.1
7.38.0
7.39.0
7.40.0
7.41.0
7.42.0
7.42.1
7.43.0
7.44.0
7.45.0
7.46.0
7.47.0
7.47.1
7.48.0
7.49.0
7.49.1
7.50.0
7.50.1
7.50.2
7.50.3