-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2016.0101
           Multiple vulnerabilities have been identified in cURL
                              3 November 2016

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              cuRL
Operating System:     UNIX variants (UNIX, Linux, OSX)
                      Windows
Impact/Access:        Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                      Denial of Service               -- Remote/Unauthenticated
                      Provide Misleading Information  -- Remote/Unauthenticated
                      Access Confidential Data        -- Remote/Unauthenticated
                      Unauthorised Access             -- Remote/Unauthenticated
Resolution:           Patch/Upgrade
CVE Names:            CVE-2016-8625 CVE-2016-8624 CVE-2016-8623
                      CVE-2016-8622 CVE-2016-8621 CVE-2016-8620
                      CVE-2016-8619 CVE-2016-8618 CVE-2016-8617
                      CVE-2016-8616 CVE-2016-8615 
Member content until: Saturday, December  3 2016

OVERVIEW

        Multiple vulnerabilities have been identified in cURL prior to 
        version 7.51.0. [1]


IMPACT

        The following details have been provided regarding the 
        vulnerabilities:
        
        CVE-2016-8615: "If cookie state is written into a cookie jar file 
        that is later read back and used for subsequent requests, a 
        malicious HTTP server can inject new cookies for arbitrary domains 
        into said cookie jar.
        
        The issue pertains to the function that loads cookies into memory, 
        which reads the specified file into a fixed-size buffer in a 
        line-by-line manner using the fgets() function. If an invocation of
        fgets() cannot read the whole line into the destination buffer due 
        to it being too small, it truncates the output. This way, a very 
        long cookie (name + value) sent by a malicious server would be 
        stored in the file and subsequently that cookie could be read 
        partially and crafted correctly, it could be treated as a different
        cookie for another server." [2]
        
        CVE-2016-8616: "When re-using a connection, curl was doing case 
        insensitive comparisons of user name and password with the existing
        connections.
        
        This means that if an unused connection with proper credentials 
        exists for a protocol that has connection-scoped credentials, an 
        attacker can cause that connection to be reused if s/he knows the 
        case-insensitive version of the correct password." [3]
        
        CVE-2016-8617: "On systems with 32-bit addresses in userspace (e.g.
        x86, ARM, x32), the multiplication in the expression wraps around if
        insize is at least 1GB of data. If this happens, an undersized 
        output buffer will be allocated, but the full result will be 
        written, thus causing the memory behind the output buffer to be 
        overwritten.
        
        If a username is set directly via CURLOPT_USERNAME (or curl's -u, 
        --user option), this vulnerability can be triggered. The name has to
        be at least 512MB big in a 32bit system." [4]
        
        CVE-2016-8618: "The libcurl API function called curl_maprintf() can
        be tricked into doing a double-free due to an unsafe size_t 
        multiplication, on systems using 32 bit size_t variables. The 
        function is also used internallty in numerous situations.
        
        The function doubles an allocated memory area with realloc() and 
        allows the size to wrap and become zero and when doing so realloc()
        returns NULL and frees the memory - in contrary to normal realloc()
        fails where it only returns NULL - causing libcurl to free the 
        memory again in the error path.
        
        Systems with 64 bit versions of the size_t type are not affected by
        this issue." [5]
        
        CVE-2016-8619: "In curl's implementation of the Kerberos 
        authentication mechanism, the function read_data() in security.c is
        used to fill the necessary krb5 structures. When reading one of the
        length fields from the socket, it fails to ensure that the length 
        parameter passed to realloc() is not set to 0.
        
        This would lead to realloc() getting called with a zero size and 
        when doing so realloc() returns NULL and frees the memory - in 
        contrary to normal realloc() fails where it only returns NULL - 
        causing libcurl to free the memory again in the error path.
        
        This flaw could be triggered by a malicious or just otherwise 
        ill-behaving server." [6]
        
        CVE-2016-8620: "The curl tool's "globbing" feature allows a user to
        specify a numerical range through which curl will iterate. It is 
        typically specified as [1-5], specifying the first and the last 
        numbers in the range. Or with [a-z], using letters.
        
        The curl code for parsing the second unsigned number did not check 
        for a leading minus character, which allowed a user to specify 
        [1--1] with no complaints and have the latter -1 number get turned 
        into the largest unsigned long value the system can handle. This 
        would ultimately cause curl to write outside the dedicated malloced
        buffer after no less than 100,000 iterations, since it would have 
        room for 5 digits but not 6.
        
        When the range is specified with letters, and the ending letter is 
        left out [L-], the code would still advance its read pointer 5 bytes
        even if the string was just 4 bytes and end up reading outside the 
        given buffer." [7]
        
        CVE-2016-8621: "The curl_getdate converts a given date string into a
        numerical timestamp and it supports a range of different formats and
        possibilites to express a date and time. The underlying date parsing
        function is also used internally when parsing for example HTTP 
        cookies (possibly received from remote servers) and it can be used 
        when doing conditional HTTP requests.
        
        The date parser function uses the libc sscanf() function at two 
        places, with the parsing strings "%02d:%02d" and ""%02d:%02d:%02d".
        The intent being that it would parse either a string with HH:MM (two
        digits colon two digits) or HH:MM:SS (two digits colon two digits 
        colon two digits). If instead the piece of time that was sent in had
        the final digit cut off, thus ending with a single-digit, the date 
        parser code would advance its read pointer one byte too much and end
        up reading out of bounds." [8]
        
        CVE-2016-8622: "The URL percent-encoding decode function in libcurl
        is called curl_easy_unescape. Internally, even if this function 
        would be made to allocate a unscape destination buffer larger than 
        2GB, it would return that new length in a signed 32 bit integer 
        variable, thus the length would get either just truncated or both 
        truncated and turned negative. That could then lead to libcurl 
        writing outside of its heap based buffer.
        
        This can be triggered by a user on a 64bit system if the user can 
        send in a custom (very large) URL to a libcurl using program." [9]
        
        CVE-2016-8623: "libcurl explicitly allows users to share cookies 
        between multiple easy handles that are concurrently employed by 
        different threads.
        
        When cookies to be sent to a server are collected, the matching 
        function collects all cookies to send and the cookie lock is 
        released immediately afterwards. That funcion however only returns a
        list with references back to the original strings for name, value, 
        path and so on. Therefore, if another thread quickly takes the lock
        and frees one of the original cookie structs together with its 
        strings, a use-after-free can occur and lead to information 
        disclosure. Another thread can also replace the contents of the 
        cookies from separate HTTP responses or API calls." [10]
        
        CVE-2016-8624: "curl doesn't parse the authority component of the 
        URL correctly when the host name part ends with a '#' character, and
        could instead be tricked into connecting to a different host. This 
        may have security implications if you for example use a URL parser 
        that follows the RFC to check for allowed domains before using curl
        to request them.
        
        Passing in http://example.com#@evil.com/x.txt would wrongly make 
        curl send a request to evil.com while your browser would connect to
        example.com given the same URL.
        
        The problem exists for most protocol schemes." [11]
        
        CVE-2016-8625: "When curl is built with libidn to handle 
        International Domain Names (IDNA), it translates them to puny code 
        for DNS resolving using the IDNA 2003 standard, while IDNA 2008 is 
        the modern and up-to-date IDNA standard.
        
        This misalignment causes problems with for example domains using the
        German B character (known as the Unicode Character 'LATIN SMALL 
        LETTER SHARP S') which is used at times in the .de TLD and is 
        translated differently in the two IDNA standards, leading to users 
        potentially and unknowingly issuing network transfer requests to the
        wrong host.
        
        For example, straBe.de is translated into strasse.de using IDNA 2003
        but is translated into xn--strae-oqa.de using IDNA 2008. Needless to
        say, those host names could very well resolve to different addresses
        and be two completely independent servers. IDNA 2008 is mandatory 
        for .de domains.
        
        curl is not alone with this problem, as there's currently a big flux
        in the world of network user-agents about which IDNA version to 
        support and use.
        
        This name problem exists for DNS-using protocols in curl, but only 
        when built to use libidn." [12]


MITIGATION

        Users are advised to upgrade to the latest version to address these
        issues. [1]


REFERENCES

        [1] cURL -- multiple vulnerabilities
            https://www.vuxml.org/freebsd/765feb7d-a0d1-11e6-a881-b499baebfeaf.html

        [2] cookie injection for other servers
            https://curl.haxx.se/docs/adv_20161102A.html

        [3] case insensitive password comparison
            https://curl.haxx.se/docs/adv_20161102B.html

        [4] OOB write via unchecked multiplication
            https://curl.haxx.se/docs/adv_20161102C.html

        [5] double-free in curl_maprintf
            https://curl.haxx.se/docs/adv_20161102D.html

        [6] double-free in krb5 code
            https://curl.haxx.se/docs/adv_20161102E.html

        [7] glob parser write/read out of bounds
            https://curl.haxx.se/docs/adv_20161102F.html

        [8] curl_getdate read out of bounds
            https://curl.haxx.se/docs/adv_20161102G.html

        [9] URL unescape heap overflow via integer truncation
            https://curl.haxx.se/docs/adv_20161102H.html

        [10] Use-after-free via shared cookies
             https://curl.haxx.se/docs/adv_20161102I.html

        [11] invalid URL parsing with '#'
             https://curl.haxx.se/docs/adv_20161102J.html

        [12] IDNA 2003 makes curl use wrong host
             https://curl.haxx.se/docs/adv_20161102K.html

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWBrKaox+lLeg9Ub1AQg5Jg/9GKmzvI5rLgv6JxQS5sRRPuxM7Dh1LcR7
GTK1jdiTiVzGNHnNkp3mPHt1PdsAaPQHKnVvS7qGYOnQIVqHq3NP2D8cvM9e7bYU
HMRwgbFv+OZ8q8bAPwYxD/+3VPXhz/MUyu1IexQkMnYs0z3kNDHq9cYyRhy8n/Ha
2wdCAagPwgdfyJmuNnbcIsVKTall/tyV7tyben9hA0zbNTPGfJzydvBA2PiYPYi9
jpM/Wibu7EhUFTeYvKN1PBaCa3SQ/D29VqL/gNSOfxKGMEnyD9UfByUE83wAOTfK
VRdjMtFQH5taxPwz14AYsogqU2YxpX1bgdUk95f1xIasFVaoMoZx/InMjM75PzA1
ktpNb0/kqgpS7sV98qH7D0GfKGPfN7z+7TzVIdiOoOdaiJCE7lsYHwRYyh9QCCU1
7pbGz6eByYMAnlp2+ajPwZg9d6w+b4e0uq2Np7U+a9M9Jf0ji99Tz+S62eIsn2XR
kb+AmHBoke4apypbLf1predf69JzROKqNflSKzSJ0jq2uoinqDDtC/TtG2R18PeG
M5uYYFncJg+2a7+K+n174E7tVfxXKRmvUQpos5irH1fNo7LnP5KERe2LqOfb53W1
u9lWWlzxpOkeMvezDluMDEEo/AnhK49X7/KVqIdbHAdrtBbfuyZCg+7U0cgU9H2P
s9mN9pu46UA=
=nOtd
-----END PGP SIGNATURE-----