Vigil@nce - libcurl: integer overflow via curl_escape
November 2016 by Vigil@nce
This bulletin was written by Vigil@nce : https://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can generate an integer overflow via functions of the
curl_escape() family of libcurl, in order to trigger a denial of
service, and possibly to run code.
Impacted products: cURL, Debian, Fedora, openSUSE Leap, pfSense,
Puppet, Slackware, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 2/4.
Creation date: 14/09/2016.
DESCRIPTION OF THE VULNERABILITY
The libcurl library provides the curl_escape(),
curl_easy_escape(), curl_unescape() and curl_easy_unescape()
functions to convert special characters.
However, if the requested size is too large, an integer overflows,
and an allocated memory area is too short.
An attacker can therefore generate an integer overflow via
functions of the curl_escape() family of libcurl, in order to
trigger a denial of service, and possibly to run code.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
https://vigilance.fr/vulnerability/libcurl-integer-overflow-via-curl-escape-20606