Arch Linux Security Advisory ASA-201609-19

Severity: Low
Date    : 20916-09-20
CVE-ID  : CVE-2016-7167
Package : curl
Type    : denial of service
Remote  : Yes
Link    :


The package curl before version 7.50.3-1 is vulnerable to denial
of service.


Upgrade to 7.50.3-1.

# pacman -Syu "curl>=7.50.3-1"

The problem has been fixed upstream in version 7.50.3.




The four libcurl functions `curl_escape()`, `curl_easy_escape()`,
`curl_unescape` and `curl_easy_unescape` perform string URL percent
escaping and unescaping. They accept custom string length inputs in
signed integer arguments. (The functions having names without "easy"
being the deprecated versions of the others.)

The provided string length arguments were not properly checked and due
to arithmetic in the functions, passing in the length 0xffffffff
(2^32-1 or `UINT_MAX` or even just -1) would end up causing an
allocation of zero bytes of heap memory that curl would attempt to
write gigabytes of data into.

The use of 'int' for this input type in the API is of course unwise
but has remained so in order to maintain the API over the years.

We are not aware of any exploit of this flaw.


A remote attacker might cause a crash by providing a specially crafted
URL, leading to a denial of service.


Attachment: signature.asc
Description: PGP signature

Reply via email to