CVE-2016-8622

NameCVE-2016-8622
DescriptionThe URL percent-encoding decode function in libcurl before 7.51.0 is called `curl_easy_unescape`. Internally, even if this function would be made to allocate a unscape destination buffer larger than 2GB, it would return that new length in a signed 32 bit integer variable, thus the length would get either just truncated or both truncated and turned negative. That could then lead to libcurl writing outside of its heap based buffer.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-711-1, DSA-3705-1
NVD severityhigh (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
curl (PTS)jessie7.38.0-4+deb8u11fixed
jessie (security)7.38.0-4+deb8u12fixed
stretch7.52.1-5+deb9u6fixed
stretch (security)7.52.1-5+deb9u7fixed
buster, sid7.61.0-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
curlsource(unstable)7.51.0-1high
curlsourcejessie7.38.0-4+deb8u5highDSA-3705-1
curlsourcewheezy7.26.0-1+wheezy17highDLA-711-1

Notes

https://github.com/curl/curl/commit/53e71e47d6b81650d26ec33a58d0dca24c7ffb2c
https://curl.haxx.se/docs/adv_20161102H.html
https://curl.haxx.se/CVE-2016-8622.patch

Search for package or bug name: Reporting problems