CURL-CVE-2016-8620

See a problem?

Source

https://curl.se/docs/CVE-2016-8620.html

Import Source

https://curl.se/docs/CURL-CVE-2016-8620.json

JSON Data

https://api.osv.dev/v1/vulns/CURL-CVE-2016-8620

Aliases

CVE-2016-8620

Published

2016-11-02T08:00:00Z

Modified

2024-06-07T13:53:51Z

Summary

glob parser write/read out of bounds

Details

The curl tool's "globbing" feature allows a user to specify a numerical range through which curl iterates. It is typically specified as [1-5], specifying the first and the last numbers in the range. Or with [a-z], using letters.

The curl code for parsing the second unsigned number did not check for a leading minus character, which allowed a user to specify [1--1] with no complaints and have the latter -1 number get turned into the largest unsigned long value the system can handle. This would ultimately cause curl to write outside the dedicated heap allocated buffer after no less than 100,000 iterations, since it would have room for 5 digits but not 6.
When the range is specified with letters, and the ending letter is left out [L-], the code would still advance its read pointer 5 bytes even if the string was just 4 bytes and end up reading outside the given buffer.

This flaw exists only in the curl tool, not in the libcurl library.

References

Credits

- Luật Nguyễn - FINDER
- Daniel Stenberg - REMEDIATION_DEVELOPER

Affected packages

Git /

Affected ranges

Type: SEMVER
Events: Introduced

7.34.0

Fixed

7.51.0

Affected versions

7.*

7.34.0

7.35.0

7.36.0

7.37.0

7.37.1

7.38.0

7.39.0

7.40.0

7.41.0

7.42.0

7.42.1

7.43.0

7.44.0

7.45.0

7.46.0

7.47.0

7.47.1

7.48.0

7.49.0

7.49.1

7.50.0

7.50.1

7.50.2

7.50.3