From ${URL} : The four libcurl functions curl_escape(), curl_easy_escape(), curl_unescape and curl_easy_unescape perform string URL percent escaping and unescaping. They accept custom string length inputs in signed integer arguments. (The functions having names without "easy" being the deprecated versions of the others.) The provided string length arguments were not properly checked and due to arithmetic in the functions, passing in the length 0xffffffff (2^32-1 or UINT_MAX or even just -1) would end up causing an allocation of zero bytes of heap memory that curl would attempt to write gigabytes of data into. The use of 'int' for this input type in the API is of course unwise but has remained so in order to maintain the API over the years. This flaw exists in the following libcurl versions: Affected versions: libcurl 7.11.1 to and including 7.50.2 Not affected versions: libcurl < 7.11.1 and libcurl >= 7.50.3 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Okay curl-7.50.3 is now in the tree and ready for stabilization: KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
Arches, please test and mark stable: =net-misc/curl-7.50.3 Target Keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86" Thank you!
amd64 stable
Stable on alpha.
Stable for PPC64.
Stable for HPPA.
arm stable
x86 stable
sparc stable
ppc stable
ia64 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
(In reply to Agostino Sarubbo from comment #11) > ia64 stable. > > Maintainer(s), please cleanup. > Security, please add it to the existing request, or file a new one. done
This issue was resolved and addressed in GLSA 201701-47 at https://security.gentoo.org/glsa/201701-47 by GLSA coordinator Thomas Deutschmann (whissi).
