Univention Bugzilla – Bug 48131
curl: Multiple issues (4.2)
Last modified: 2018-11-14 14:59:00 CET
New Debian curl 7.38.0-4+deb8u13 fixes: This update addresses the following issues: * Incorrect reuse of client certificates (CVE-2016-7141) * escape and unescape integer overflows (CVE-2016-7167) * printf floating point buffer overflow (CVE-2016-9586) * Heap-based buffer overflow via integer overflow in curl_sasl.c:Curl_sasl_create_plain_message() (CVE-2018-16839) * Heap-based buffer over-read in tool_msgs.c:voutf() allows for information disclosure and crash (CVE-2018-16842)
--- mirror/ftp/4.2/unmaintained/4.2-5/source/curl_7.38.0-4+deb8u12.dsc +++ apt/ucs_4.2-0-errata4.2-5/source/curl_7.38.0-4+deb8u13.dsc @@ -1,3 +1,31 @@ +7.38.0-4+deb8u13 [Tue, 06 Nov 2018 19:01:46 +0100] Markus Koschany <apo@debian.org>: + + * Non-maintainer upload by the LTS team. + * Fix the following security vulnerabilities: + * CVE-2016-7141: + When built with NSS and the libnsspem.so library is available at runtime, + allows remote attacker to hijack the authentication of a TLS connection by + leveraging reuse of a previously loaded client certificate from file for a + connection for which no certificate has been set, a different + vulnerability than CVE-2016-5420. + * CVE-2016-7167: + Multiple integer overflows in the (1) curl_escape, (2) curl_easy_escape, + (3) curl_unescape, and (4) curl_easy_unescape functions in libcurl allow + attackerrs to have unspecified impact via a string of length 0xffffffff, + which triggers a heap-based buffer overflow. + * CVE-2016-9586: + Curl is vulnerable to a buffer overflow when doing a large floating point + output in libcurl's implementation of the printf() functions. If there are + any applications that accept a format string from the outside without + necessary input filtering, it could allow remote attacks. + * CVE-2018-16839: + Curl is vulnerable to a buffer overrun in the SASL authentication code that + may lead to denial of service. + * CVE-2018-16842: + Curl is vulnerable to a heap-based buffer over-read in the + tool_msgs.c:voutf() function that may result in information exposure and + denial of service. + 7.38.0-4+deb8u12 [Sat, 08 Sep 2018 11:55:45 +0100] Chris Lamb <lamby@debian.org>: * Fix an NTLM password overflow via integer overflow as per CVE-2018-14618 <http://10.200.17.11/4.2-5/#580695000923150219>
OK: yaml OK: announce_errata OK: patch OK: piuparts [4.2-5] 72d34a53a8 Bug #48131: curl 7.38.0-4+deb8u13 doc/errata/staging/curl.yaml | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+)
<http://errata.software-univention.de/ucs/4.2/544.html>