Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 638734 (CVE-2017-8816, CVE-2017-8817, CVE-2017-8818)

Summary: <net-misc/curl-7.57.0: Multiple vulnerabilities (CVE-2017-{8816,8817,8818})
Product: Gentoo Security Reporter: Thomas Deutschmann (RETIRED) <whissi>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: blueness
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A3 [glsa cve]
Package list:
net-misc/curl-7.57.0
Runtime testing required: ---

Description Thomas Deutschmann (RETIRED) gentoo-dev 2017-11-24 19:16:37 UTC
Incoming details.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2017-11-29 12:16:25 UTC
NTLM buffer overflow via integer overflow (CVE-2017-8816)

libcurl contains a buffer overrun flaw in the NTLM authentication code.

The internal function Curl_ntlm_core_mk_ntlmv2_hash sums up the lengths of the user name + password (= SUM) and multiplies the sum by two (= SIZE) to figure out how large storage to allocate from the heap.

The SUM value is subsequently used to iterate over the input and generate output into the storage buffer. On systems with a 32 bit size_t, the math to calculate SIZE triggers an integer overflow when the combined lengths of the user name and password is larger than 2GB (2^31 bytes). This integer overflow usually causes a very small buffer to actually get allocated instead of the intended very huge one, making the use of that buffer end up in a buffer overrun.

We are not aware of any exploit of this flaw.
INFO

This bug was introduced in commit 86724581b6c02d160b5, January 2014.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2017-8816 to this issue.
AFFECTED VERSIONS

This is only an issue on 32 bit systems. It also requires the user and password fields to use more than 2GB of memory combined, which in itself should be rare.

    Affected versions: libcurl 7.36.0 to and including 7.56.1
    Not affected versions: libcurl < 7.36.0 and >= 7.57.0

curl is used by many applications, but not always advertised as such.
THE SOLUTION

In libcurl version 7.57.0, the integer overflow is avoided.

https://curl.haxx.se/docs/adv_2017-12e7.html



FTP wildcard out of bounds read (CVE-2017-8817)

libcurl contains a read out of bounds flaw in the FTP wildcard function.

libcurl's FTP wildcard matching feature, which is enabled with the CURLOPT_WILDCARDMATCH option can use a built-in wildcard function or a user provided one. The built-in wildcard function has a flaw that makes it not detect the end of the pattern string if it ends with an open bracket ([) but instead it will continue reading the heap beyond the end of the URL buffer that holds the wildcard.

For applications that use HTTP(S) URLs, allow libcurl to handle redirects and have FTP wildcards enabled, this flaw can be triggered by malicious servers that can redirect clients to a URL using such a wildcard pattern.

We are not aware of any exploit of this flaw.
INFO

This bug was introduced in commit 0825cd80a62c, May 2010.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2017-8817 to this issue.
AFFECTED VERSIONS

    Affected versions: libcurl 7.21.0 to and including 7.56.1
    Not affected versions: libcurl < 7.21.0 and >= 7.57.0

curl is used by many applications, but not always advertised as such.
THE SOLUTION

In libcurl version 7.57.0, there's a better check for the end of the string. Additionally, the wildcard feature is turned off if the URL passed to libcurl is not using FTP(S), so a redirect to an FTP URL cannot trigger wildcard functionality.

RECOMMENDATIONS

We suggest you take one of the following actions immediately, in order of preference:

A - Upgrade curl to version 7.57.0

B - Apply the patch to your version and rebuild

C - Do not use CURLOPT_WILDCARDMATCH without carfully verifying the patterns used.

https://curl.haxx.se/docs/adv_2017-ae72.html



SSL out of buffer access (CVE-2017-8818)

libcurl contains an out boundary access flaw in SSL related code.

When allocating memory for a connection (the internal struct called connectdata), a certain amount of memory is allocated at the end of the struct to be used for SSL related structs. Those structs are used by the particular SSL library libcurl is built to use. The application can also tell libcurl which specific SSL library to use if it was built to support more than one.

The math used to calculate the extra memory amount necessary for the SSL library was wrong on 32 bit systems, which made the allocated memory too small by 4 bytes. The last struct member of the last object within the memory area could then be outside of what was allocated. Accessing that member could lead to a crash or other undefined behaviors depending on what memory that is present there and how the particular SSL library decides to act on that memory content.

Specifically the vulnerability is present if libcurl was built so that sizeof(long long *) < sizeof(long long) which as far as we are aware only happens in 32-bit builds.

We are not aware of any exploit of this flaw.

INFO

This bug was introduced in commit 70f1db321a, July 2017.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2017-8818 to this issue.
AFFECTED VERSIONS

This is only an issue on systems with 32 bit pointers. (Technically, on systems where sizeof(long long *) < sizeof(long long).)

    Affected versions: libcurl 7.56.0 to and including 7.56.1
    Not affected versions: libcurl < 7.56.0 and >= 7.57.0

curl is used by many applications, but not always advertised as such.
THE SOLUTION

In libcurl version 7.57.0, the allocation size is corrected.

https://curl.haxx.se/docs/adv_2017-af0a.html
Comment 2 Anthony Basile gentoo-dev 2017-11-29 16:15:40 UTC
curl-7.57.0 is in the tree and can be rapid stabilized

KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2017-11-29 18:53:19 UTC
x86 stable
Comment 4 Tobias Klausmann (RETIRED) gentoo-dev 2017-11-30 11:36:24 UTC
Stable on alpha.
Comment 5 Anthony Basile gentoo-dev 2017-11-30 19:53:29 UTC
stable on ppc and ppc64
Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev 2017-11-30 20:10:24 UTC
sparc stable (thanks to Rolf Eike Beer)
Comment 7 Agostino Sarubbo gentoo-dev 2017-12-01 11:21:13 UTC
amd64 stable
Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev 2017-12-06 22:48:44 UTC
hppa stable (thanks to Rolf Eike Beer)
Comment 9 Markus Meier gentoo-dev 2017-12-12 18:40:38 UTC
arm stable
Comment 10 Thomas Deutschmann (RETIRED) gentoo-dev 2017-12-14 16:25:03 UTC
Added to an existing GLSA.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2017-12-14 18:48:21 UTC
This issue was resolved and addressed in
 GLSA 201712-04 at https://security.gentoo.org/glsa/201712-04
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 12 Thomas Deutschmann (RETIRED) gentoo-dev 2017-12-14 18:49:10 UTC
Re-opening for remaining architecture/cleanup.
Comment 13 Anthony Basile gentoo-dev 2017-12-14 19:29:51 UTC
(In reply to Thomas Deutschmann from comment #12)
> Re-opening for remaining architecture/cleanup.

ping @ia64.
Comment 14 Sergei Trofimovich (RETIRED) gentoo-dev 2017-12-14 19:30:45 UTC
ia64 stable
Comment 15 Anthony Basile gentoo-dev 2017-12-22 11:33:52 UTC
The vulnerable versions are off the tree.
Comment 16 Thomas Deutschmann (RETIRED) gentoo-dev 2017-12-22 11:36:14 UTC
All done, repository is clean.