The URL percent-encoding decode function in libcurl before 7.51.0 is called `curl_easy_unescape`. Internally, even if this function would be made to allocate a unscape destination buffer larger than 2GB, it would return that new length in a signed 32 bit integer variable, thus the length would get either just truncated or both truncated and turned negative. That could then lead to libcurl writing outside of its heap based buffer.
References
Link | Resource |
---|---|
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html | |
http://www.securityfocus.com/bid/94105 | Third Party Advisory VDB Entry |
http://www.securitytracker.com/id/1037192 | Third Party Advisory VDB Entry |
https://access.redhat.com/errata/RHSA-2018:2486 | Third Party Advisory |
https://access.redhat.com/errata/RHSA-2018:3558 | |
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8622 | Issue Tracking Patch Third Party Advisory |
https://curl.haxx.se/docs/adv_20161102H.html | Patch Vendor Advisory |
https://security.gentoo.org/glsa/201701-47 | Third Party Advisory |
https://www.tenable.com/security/tns-2016-21 | Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: redhat
Published: 2018-07-31T21:00:00
Updated: 2018-11-13T10:57:01
Reserved: 2016-10-12T00:00:00
Link: CVE-2016-8622
JSON object: View
NVD Information
Status : Modified
Published: 2018-07-31T21:29:00.317
Modified: 2023-11-07T02:36:24.590
Link: CVE-2016-8622
JSON object: View
Redhat Information
No data.