Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 603370 (CVE-2016-9586) - <net-misc/curl-7.52.0: printf floating point buffer overflow
Summary: <net-misc/curl-7.52.0: printf floating point buffer overflow
Status: RESOLVED FIXED
Alias: CVE-2016-9586
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://curl.haxx.se/docs/adv_2016122...
Whiteboard: B2 [glsa cve]
Keywords:
Depends on: CVE-2016-9594
Blocks: CVE-2016-8615, CVE-2016-8616, CVE-2016-8617, CVE-2016-8618, CVE-2016-8619, CVE-2016-8620, CVE-2016-8621, CVE-2016-8622, CVE-2016-8623, CVE-2016-8624, CVE-2016-8625
  Show dependency tree
 
Reported: 2016-12-21 19:47 UTC by Kristian Fiskerstrand (RETIRED)
Modified: 2017-01-19 19:57 UTC (History)
1 user (show)

See Also:
Package list:
=net-misc/curl-7.52.0 =net-dns/libidn2-0.11
Runtime testing required: ---
kensington: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Kristian Fiskerstrand (RETIRED) gentoo-dev 2016-12-21 19:47:36 UTC 
printf floating point buffer overflow
=====================================

Project curl Security Advisory, December 21, 2016 -
[Permalink](https://curl.haxx.se/docs/adv_20161221A.html)

VULNERABILITY
-------------

libcurl's implementation of the printf() functions triggers a buffer overflow
when doing a large floating point output. The bug occurs when the conversion
outputs more than 255 bytes.

The flaw happens because the floating point conversion is using system
functions without the correct boundary checks.

The functions have been documented as deprecated for a long time and users are
discouraged from using them in "new programs" as they are planned to get
removed at a future point. But as the functions are present and there's
nothing preventing users from using them, we expect there to be a certain
amount of existing users in the wild.

If there are any application that accepts a format string from the outside
without necessary input filtering, it could allow remote attacks.

This flaw does not exist in the command line tool.

We are not aware of any exploit of this flaw.

INFO
----

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2016-9586 to this issue.

AFFECTED VERSIONS
-----------------

This flaw exists in the following libcurl versions.

- Affected versions: libcurl 7.1 to and including 7.51.0
- Not affected versions: libcurl >= 7.52.0

libcurl is used by many applications, but not always advertised as such!

THE SOLUTION
------------

In version 7.52.0, the conversion is limited to never generate a larger output
than what fits in the fixed size buffer.

A [patch for CVE-2016-9586](https://curl.haxx.se/CVE-2016-9586.patch) is
available.

RECOMMENDATIONS
---------------
Comment 1 Anthony Basile gentoo-dev 2016-12-22 01:03:29 UTC 
This is in the tree now.
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2016-12-22 02:23:37 UTC 
@ Arches,

please test and mark stable: =net-misc/curl-7.52.0

Some arches still have to re-keyword curl itself _and_ =net-dns/libidn2-0.11.
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2016-12-23 12:14:48 UTC 
=net-misc/curl-7.52.0 introduced a new vulnerability and was superseded; Moving to bug 603574
Comment 4 Anthony Basile gentoo-dev 2016-12-23 13:31:11 UTC 
(In reply to Thomas Deutschmann from comment #2)
> @ Arches,
> 
> please test and mark stable: =net-misc/curl-7.52.0
> 
> Some arches still have to re-keyword curl itself _and_ =net-dns/libidn2-0.11.

Upstream just bumped to 7.52.1 to address a bug.  Please proceed with that.
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-19 19:57:25 UTC 
This issue was resolved and addressed in
 GLSA 201701-47 at https://security.gentoo.org/glsa/201701-47
by GLSA coordinator Thomas Deutschmann (whissi).