http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

95019

1037515

RHSA-2018:3558

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9586

https://curl.haxx.se/docs/adv_20161221A.html

https://github.com/curl/curl/commit/curl-7_51_0-162-g3ab3c16

[debian-lts-announce] 20181106 [SECURITY] [DLA 1568-1] curl security update

GLSA-201701-47

According to the versions of the curl packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - A NULL pointer dereference flaw was found in the way     libcurl checks values returned by the openldap     ldap_get_attribute_ber() function. A malicious LDAP     server could use this flaw to crash a libcurl client     application via a specially crafted LDAP     reply.(CVE-2018-1000121)

  - It was found that libcurl did not safely parse FTP URLs     when using the CURLOPT_FTP_FILEMETHOD method. An     attacker, able to provide a specially crafted FTP URL     to an application using libcurl, could write a NULL     byte at an arbitrary location, resulting in a crash, or     an unspecified behavior.(CVE-2018-1000120)

  - ** RESERVED ** This candidate has been reserved by an     organization or individual that will use it when     announcing a new security problem. When the candidate     has been publicized, the details for this candidate     will be provided.(CVE-2016-8623)

  - ** RESERVED ** This candidate has been reserved by an     organization or individual that will use it when     announcing a new security problem. When the candidate     has been publicized, the details for this candidate     will be provided.(CVE-2016-8622)

  - It was found that the libcurl library did not prevent     TLS session resumption when the client certificate had     changed. An attacker could potentially use this flaw to     hijack the authentication of the connection by     leveraging a previously created connection with a     different client certificate.(CVE-2016-5419)

  - A buffer overrun flaw was found in the IMAP handler of     libcurl. By tricking an unsuspecting user into     connecting to a malicious IMAP server, an attacker     could exploit this flaw to potentially cause     information disclosure or crash the     application.(CVE-2017-1000257)

  - ** RESERVED ** This candidate has been reserved by an     organization or individual that will use it when     announcing a new security problem. When the candidate     has been publicized, the details for this candidate     will be provided.(CVE-2016-8624)

  - ** RESERVED ** This candidate has been reserved by an     organization or individual that will use it when     announcing a new security problem. When the candidate     has been publicized, the details for this candidate     will be provided.(CVE-2016-8621)

  - A buffer over-read exists in curl 7.20.0 to and     including curl 7.58.0 in the RTSP+RTP handling code     that allows an attacker to cause a denial of service or     information leakage(CVE-2018-1000122)

  - ** RESERVED ** This candidate has been reserved by an     organization or individual that will use it when     announcing a new security problem. When the candidate     has been publicized, the details for this candidate     will be provided.(CVE-2016-9586)

  - The FTP wildcard function in curl and libcurl before     7.57.0 allows remote attackers to cause a denial of     service (out-of-bounds read and application crash) or     possibly have unspecified other impact via a string     that ends with an '' character.(CVE-2017-8817)

  - ** RESERVED ** This candidate has been reserved by an     organization or individual that will use it when     announcing a new security problem. When the candidate     has been publicized, the details for this candidate     will be provided.(CVE-2016-8618)

  - It was found that the libcurl library using the NSS     (Network Security Services) library as TLS/SSL backend     incorrectly re-used client certificates for subsequent     TLS connections in certain cases. An attacker could     potentially use this flaw to hijack the authentication     of the connection by leveraging a previously created     connection with a different client     certificate.(CVE-2016-7141)

  - cURL and libcurl 7.10.6 through 7.34.0, when more than     one authentication method is enabled, re-uses NTLM     connections, which might allow context-dependent     attackers to authenticate as other users via a     request.(CVE-2014-0015)

  - The tailMatch function in cookie.c in cURL and libcurl     before 7.30.0 does not properly match the path domain     when sending cookies, which allows remote attackers to     steal cookies via a matching suffix in the domain of a     URL.(CVE-2013-1944)

  - It was discovered that the libcurl library failed to     properly handle URLs with embedded end-of-line     characters. An attacker able to make an application     using libcurl access a specially crafted URL via an     HTTP proxy could use this flaw to inject additional     headers to the request or construct additional     requests.(CVE-2014-8150)

  - ** RESERVED ** This candidate has been reserved by an     organization or individual that will use it when     announcing a new security problem. When the candidate     has been publicized, the details for this candidate     will be provided.(CVE-2016-8615)

  - The default configuration in cURL and libcurl 7.10.6     before 7.36.0 re-uses (1) SCP, (2) SFTP, (3) POP3, (4)     POP3S, (5) IMAP, (6) IMAPS, (7) SMTP, (8) SMTPS, (9)     LDAP, and (10) LDAPS connections, which might allow     context-dependent attackers to connect as other users     via a request, a similar issue to     CVE-2014-0015.(CVE-2014-0138)

  - ** RESERVED ** This candidate has been reserved by an     organization or individual that will use it when     announcing a new security problem. When the candidate     has been publicized, the details for this candidate     will be provided.(CVE-2016-8617)

  - It was found that the libcurl library did not correctly     handle partial literal IP addresses when parsing     received HTTP cookies. An attacker able to trick a user     into connecting to a malicious server could use this     flaw to set the user's cookie to a crafted domain,     making other cookie-related issues easier to     exploit.(CVE-2014-3613)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities were discovered in cURL, an URL transfer library.

CVE-2016-7141

When built with NSS and the libnsspem.so library is available at runtime, allows an remote attacker to hijack the authentication of a TLS connection by leveraging reuse of a previously loaded client certificate from file for a connection for which no certificate has been set, a different vulnerability than CVE-2016-5420.

CVE-2016-7167

Multiple integer overflows in the (1) curl_escape, (2) curl_easy_escape, (3) curl_unescape, and (4) curl_easy_unescape functions in libcurl allow attackers to have unspecified impact via a string of length 0xffffffff, which triggers a heap-based buffer overflow.

CVE-2016-9586

Curl is vulnerable to a buffer overflow when doing a large floating point output in libcurl's implementation of the printf() functions. If there are any applications that accept a format string from the outside without necessary input filtering, it could allow remote attacks.

CVE-2018-16839

Curl is vulnerable to a buffer overrun in the SASL authentication code that may lead to denial of service.

CVE-2018-16842

Curl is vulnerable to a heap-based buffer over-read in the tool_msgs.c:voutf() function that may result in information exposure and denial of service.

For Debian 8 'Jessie', these problems have been fixed in version 7.38.0-4+deb8u13.

We recommend that you upgrade your curl packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the curl package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - It was found that libcurl did not safely parse FTP URLs     when using the CURLOPT_FTP_FILEMETHOD method. An     attacker, able to provide a specially crafted FTP URL     to an application using libcurl, could write a NULL     byte at an arbitrary location, resulting in a crash, or     an unspecified behavior.(CVE-2018-1000120)

  - A NULL pointer dereference flaw was found in the way     libcurl checks values returned by the openldap     ldap_get_attribute_ber() function. A malicious LDAP     server could use this flaw to crash a libcurl client     application via a specially crafted LDAP     reply.(CVE-2018-1000121)

  - A buffer over-read exists in curl 7.20.0 to and     including curl 7.58.0 in the RTSP+RTP handling code     that allows an attacker to cause a denial of service or     information leakage(CVE-2018-1000122)

  - curl version curl 7.20.0 to and including curl 7.59.0     contains a Buffer Over-read vulnerability in denial of     service that can result in curl can be tricked into     reading data beyond the end of a heap based buffer used     to store downloaded rtsp content.(CVE-2018-1000301)

  - curl version curl 7.20.0 to and including curl 7.59.0     contains a Buffer Over-read vulnerability in denial of     service that can result in curl can be tricked into     reading data beyond the end of a heap based buffer used     to store downloaded rtsp content.(CVE-2016-9586)

  - libcurl may read outside of a heap allocated buffer     when doing FTP. When libcurl connects to an FTP server     and successfully logs in (anonymous or not), it asks     the server for the current directory with the `PWD`     command. The server then responds with a 257 response     containing the path, inside double quotes. The returned     path name is then kept by libcurl for subsequent uses.
    Due to a flaw in the string parser for this directory     name, a directory name passed like this but without a     closing double quote would lead to libcurl not adding a     trailing NUL byte to the buffer holding the name. When     libcurl would then later access the string, it could     read beyond the allocated heap buffer and crash or     wrongly access data beyond the buffer, thinking it was     part of the path. A malicious server could abuse this     fact and effectively prevent libcurl-based clients to     work with it - the PWD command is always issued on new     FTP connections and the mistake has a high chance of     causing a segfault. The simple fact that this has issue     remained undiscovered for this long could suggest that     malformed PWD responses are rare in benign servers. We     are not aware of any exploit of this flaw. This bug was     introduced in commit     [415d2e7cb7](https://github.com/curl/curl/commit/415d2e     7cb7), March 2005. In libcurl version 7.56.0, the     parser always zero terminates the string but also     rejects it if not terminated properly with a final     double quote.i1/4^CVE-2017-1000254i1/4%0

  - The FTP wildcard function in curl and libcurl before     7.57.0 allows remote attackers to cause a denial of     service (out-of-bounds read and application crash) or     possibly have unspecified other impact via a string     that ends with an '[' character.The FTP wildcard     function in curl and libcurl before 7.57.0 allows     remote attackers to cause a denial of service     (out-of-bounds read and application crash) or possibly     have unspecified other impact via a string that ends     with an '[' character.i1/4^CVE-2017-8817i1/4%0

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the curl packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - It was found that libcurl did not safely parse FTP URLs     when using the CURLOPT_FTP_FILEMETHOD method. An     attacker, able to provide a specially crafted FTP URL     to an application using libcurl, could write a NULL     byte at an arbitrary location, resulting in a crash, or     an unspecified behavior.(CVE-2018-1000120)

  - A NULL pointer dereference flaw was found in the way     libcurl checks values returned by the openldap     ldap_get_attribute_ber() function. A malicious LDAP     server could use this flaw to crash a libcurl client     application via a specially crafted LDAP     reply.(CVE-2018-1000121)

  - A buffer over-read exists in curl 7.20.0 to and     including curl 7.58.0 in the RTSP+RTP handling code     that allows an attacker to cause a denial of service or     information leakage(CVE-2018-1000122)

  - curl version curl 7.20.0 to and including curl 7.59.0     contains a Buffer Over-read vulnerability in denial of     service that can result in curl can be tricked into     reading data beyond the end of a heap based buffer used     to store downloaded rtsp content.(CVE-2018-1000301)

  - curl version curl 7.20.0 to and including curl 7.59.0     contains a Buffer Over-read vulnerability in denial of     service that can result in curl can be tricked into     reading data beyond the end of a heap based buffer used     to store downloaded rtsp content.(CVE-2016-9586)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the curl packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - curl version curl 7.20.0 to and including curl 7.59.0     contains a Buffer Over-read vulnerability in denial of     service that can result in curl can be tricked into     reading data beyond the end of a heap based buffer used     to store downloaded rtsp content.(CVE-2018-1000301)

  - curl version curl 7.20.0 to and including curl 7.59.0     contains a Buffer Over-read vulnerability in denial of     service that can result in curl can be tricked into     reading data beyond the end of a heap based buffer used     to store downloaded rtsp content.(CVE-2016-9586)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Daniel Stenberg discovered that curl incorrectly handled large floating point output. A remote attacker could use this issue to cause curl to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-9586)

Even Rouault discovered that curl incorrectly handled large file names when doing TFTP transfers. A remote attacker could use this issue to cause curl to crash, resulting in a denial of service, or possibly obtain sensitive memory contents. (CVE-2017-1000100)

Brian Carpenter and Yongji Ouyang discovered that curl incorrectly handled numerical range globbing. A remote attacker could use this issue to cause curl to crash, resulting in a denial of service, or possibly obtain sensitive memory contents. (CVE-2017-1000101)

Max Dymond discovered that curl incorrectly handled FTP PWD responses.
A remote attacker could use this issue to cause curl to crash, resulting in a denial of service. (CVE-2017-1000254)

Brian Carpenter discovered that curl incorrectly handled the
--write-out command line option. A local attacker could possibly use this issue to obtain sensitive memory contents. (CVE-2017-7407).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for curl fixes the following issues :

  - CVE-2017-1000100: TFP sends more than buffer size and it     could lead to a denial of service (bsc#1051644)

  - CVE-2017-7407: ourWriteOut function problem could lead     to a heap buffer over-read (bsc#1032309)

  - CVE-2016-9586: libcurl printf issue could lead to buffer     overflow (bsc#1015332)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is running a version of Mac OS X version 10.x prior to 10.12.6, and is affected by multiple vulnerabilities :

 - An overflow condition exists in the curl component in the 'dprintf_formatf()' function that is triggered when handling floating point conversion. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-9586)
 - A flaw exits in the curl component in the 'randit()' function within file lib/rand.c due to improper initialization of the 32-bit random value, which is used, for example, to generate Digest and NTLM authentication nonces, resulting in weaker cryptographic operations than expected. (CVE-2016-9594)
 - A flaw exists in the curl component in the 'allocate_conn()' function in lib/url.c when using the OCSP stapling feature for checking a X.509 certificate revocation status. The issue is triggered as the request option for OCSP stapling is not properly passed to the TLS library, resulting in no error being returned even when no proof of the validity of the certificate could be provided. A man-in-the-middle attacker can exploit this to provide a revoked certificate. (CVE-2017-2629)
 - A remote code execution vulnerability exists in the CoreAudio component due to improper validation of user-supplied input when handling movie files. An unauthenticated, remote attacker can exploit this, by convincing a user to play a specially crafted movie file, to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-7008)
 - A memory corruption issue exists in the IOUSBFamily component due to improper validation of user-supplied input. A local attacker can exploit this, via a specially crafted application, to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-7009)
 - Multiple out-of-bounds read errors exist in the libxml2 component due to improper handling of specially crafted XML documents. An unauthenticated, remote attacker can exploit these to disclose user information. (CVE-2017-7010, CVE-2017-7013)
 - Multiple memory corruption issues exist in the Intel Graphics Driver component due to improper validation of input. A local attacker can exploit these issues to execute arbitrary code with elevated privileges. (CVE-2017-7014, CVE-2017-7017, CVE-2017-7035, CVE-2017-7044)
 - A remote code execution vulnerability exists in the Audio component due to improper validation of user-supplied input when handling audio files. An unauthenticated, remote attacker can exploit this, by convincing a user to play a specially crafted audio file, to execute arbitrary code. (CVE-2017-7015)
 - Multiple remote code execution vulnerabilities exist in the afclip component due to improper validation of user-supplied input when handling audio files. An unauthenticated, remote attacker can exploit these vulnerabilities, by convincing a user to play a specially crafted audio file, to execute arbitrary code. (CVE-2017-7016, CVE-2017-7033)
 - A memory corruption issue exists in the AppleGraphicsPowerManagement component due to improper validation of input. A local attacker can exploit this to cause a denial of service condition or the execution of arbitrary code with system privileges. (CVE-2017-7021)
 - Multiple memory corruption issues exist in the kernel due to improper validation of input. A local attacker can exploit these issues to cause a denial of service condition or the execution of arbitrary code with system privileges. (CVE-2017-7022, CVE-2017-7024, CVE-2017-7026)
 - Multiple memory corruption issues exist in the kernel due to improper validation of input. A local attacker can exploit these issues to cause a denial of service condition or the execution of arbitrary code with kernel privileges. (CVE-2017-7023, CVE-2017-7025, CVE-2017-7027, CVE-2017-7069)
 - Multiple unspecified flaws exist in the kernel due to a failure to properly sanitize input. A local attacker can exploit these issues, via a specially crafted application, to disclose restricted memory contents. (CVE-2017-7028, CVE-2017-7029, CVE-2017-7067)
 - A flaw exists in the Foundation component due to improper validation of input. A unauthenticated, remote attacker can exploit this, by convincing a user to open specially crafted file, to execute arbitrary code. (CVE-2017-7031)
 - A memory corruption issue exists in the 'kext tools' component due to improper validation of input. A local attacker can exploit this to execute arbitrary code with elevated privileges. (CVE-2017-7032)
 - Multiple unspecified flaws exist in the Intel Graphics Driver component due to a failure to properly sanitize input. A local attacker can exploit these issues, via a specially crafted application, to disclose restricted memory contents. (CVE-2017-7036, CVE-2017-7045)
 - A memory corruption issue exists in the libxpc component due to improper validation of input. A local attacker can exploit this issue, via a specifically crafted application, to cause a denial of service condition or the execution of arbitrary code with system privileges. (CVE-2017-7047)
 - Multiple memory corruption issues exist in the Bluetooth component due to improper validation of input. A local attacker can exploit these issues to execute arbitrary code with system privileges. (CVE-2017-7050, CVE-2017-7051)
 - A memory corruption issue exists in the Bluetooth component due to improper validation of input. A local attacker can exploit these issues to execute arbitrary code with system privileges. (CVE-2017-7054)
 - A buffer overflow condition exists in the Contacts component due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-7062)
 - A buffer overflow condition exists in the libarchive component due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this, via a specially crafted archive file, to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-7068)
 - A certificate validation bypass vulnerability exists in the curl component due to the program attempting to resume TLS sessions even if the client certificate fails. An unauthenticated, remote attacker can exploit this to bypass validation mechanisms. (CVE-2017-7468)
 - A memory corruption issue exists in the Broadcom BCM43xx family Wi-Fi Chips component that allows an unauthenticated, remote attacker to execute arbitrary code. (CVE-2017-9417)


The remote host is running Mac OS X 10.10.5, Mac OS X 10.11.6, or macOS 10.12.5 and is missing a security update. It is therefore, affected by multiple vulnerabilities :

  - An overflow condition exists in the curl component in     the dprintf_formatf() function that is triggered when     handling floating point conversion. An unauthenticated,     remote attacker can exploit this to cause a denial of     service condition or the execution of arbitrary code.
    (CVE-2016-9586)

  - A flaw exits in the curl component in the randit()     function within file lib/rand.c due to improper     initialization of the 32-bit random value, which is     used, for example, to generate Digest and NTLM     authentication nonces, resulting in weaker cryptographic     operations than expected. (CVE-2016-9594)

  - A flaw exists in the curl component in the     allocate_conn() function in lib/url.c when using the     OCSP stapling feature for checking a X.509 certificate     revocation status. The issue is triggered as the request     option for OCSP stapling is not properly passed to the     TLS library, resulting in no error being returned even     when no proof of the validity of the certificate could     be provided. A man-in-the-middle attacker can exploit     this to provide a revoked certificate. (CVE-2017-2629)

  - A remote code execution vulnerability exists in the     CoreAudio component due to improper validation of     user-supplied input when handling movie files. An     unauthenticated, remote attacker can exploit this, by     convincing a user to play a specially crafted movie     file, to cause a denial of service condition or the     execution of arbitrary code. (CVE-2017-7008)

  - A memory corruption issue exists in the IOUSBFamily     component due to improper validation of user-supplied     input. A local attacker can exploit this, via a     specially crafted application, to cause a denial of     service condition or the execution of arbitrary code.
    (CVE-2017-7009)

  - Multiple out-of-bounds read errors exist in the libxml2     component due to improper handling of specially crafted     XML documents. An unauthenticated, remote attacker can     exploit these to disclose user information.
    (CVE-2017-7010, CVE-2017-7013)

  - Multiple memory corruption issues exist in the Intel     Graphics Driver component due to improper validation of     input. A local attacker can exploit these issues to     execute arbitrary code with elevated privileges.
    (CVE-2017-7014, CVE-2017-7017, CVE-2017-7035,     CVE-2017-7044)

  - A remote code execution vulnerability exists in the     Audio component due to improper validation of     user-supplied input when handling audio files. An     unauthenticated, remote attacker can exploit this, by     convincing a user to play a specially crafted audio     file, to execute arbitrary code. (CVE-2017-7015)

  - Multiple remote code execution vulnerabilities exist in     the afclip component due to improper validation of     user-supplied input when handling audio files. An     unauthenticated, remote attacker can exploit these     vulnerabilities, by convincing a user to play a     specially crafted audio file, to execute arbitrary     code. (CVE-2017-7016, CVE-2017-7033)

  - A memory corruption issue exists in the     AppleGraphicsPowerManagement component due to improper     validation of input. A local attacker can exploit this     to cause a denial of service condition or the execution     of arbitrary code with system privileges.
    (CVE-2017-7021)

  - Multiple memory corruption issues exist in the kernel     due to improper validation of input. A local attacker     can exploit these issues to cause a denial of service     condition or the execution of arbitrary code with system     privileges. (CVE-2017-7022, CVE-2017-7024,     CVE-2017-7026)

  - Multiple memory corruption issues exist in the kernel     due to improper validation of input. A local attacker     can exploit these issues to cause a denial of service     condition or the execution of arbitrary code with kernel     privileges. (CVE-2017-7023, CVE-2017-7025,     CVE-2017-7027, CVE-2017-7069)

  - Multiple unspecified flaws exist in the kernel due to a     failure to properly sanitize input. A local attacker can     exploit these issues, via a specially crafted     application, to disclose restricted memory contents.
    (CVE-2017-7028, CVE-2017-7029, CVE-2017-7067)

  - A flaw exists in the Foundation component due to     improper validation of input. A unauthenticated, remote     attacker can exploit this, by convincing a user to open     specially crafted file, to execute arbitrary code.
    (CVE-2017-7031)

  - A memory corruption issue exists in the 'kext tools'     component due to improper validation of input. A local     attacker can exploit this to execute arbitrary code with     elevated privileges. (CVE-2017-7032)

  - Multiple unspecified flaws exist in the Intel Graphics     Driver component due to a failure to properly sanitize     input. A local attacker can exploit these issues, via a     specially crafted application, to disclose restricted     memory contents. (CVE-2017-7036, CVE-2017-7045)

  - A memory corruption issue exists in the libxpc component     due to improper validation of input. A local attacker     can exploit this issue, via a specifically crafted     application, to cause a denial of service condition or     the execution of arbitrary code with system privileges.
    (CVE-2017-7047)

  - Multiple memory corruption issues exist in the     Bluetooth component due to improper validation of input.
    A local attacker can exploit these issues to execute     arbitrary code with system privileges. (CVE-2017-7050,     CVE-2017-7051)

  - A memory corruption issue exists in the Bluetooth     component due to improper validation of input. A local     attacker can exploit these issues to execute arbitrary     code with system privileges. (CVE-2017-7054)

  - A buffer overflow condition exists in the Contacts     component due to improper validation of user-supplied     input. An unauthenticated, remote attacker can exploit     this to cause a denial of service condition or the     execution of arbitrary code. (CVE-2017-7062)

  - A buffer overflow condition exists in the libarchive     component due to improper validation of user-supplied     input. An unauthenticated, remote attacker can exploit     this, via a specially crafted archive file, to cause a     denial of service condition or the execution of     arbitrary code. (CVE-2017-7068)

  - A certificate validation bypass vulnerability exists in     the curl component due to the program attempting to     resume TLS sessions even if the client certificate     fails. An unauthenticated, remote attacker can exploit     this to bypass validation mechanisms. (CVE-2017-7468)

  - A memory corruption issue exists in the Broadcom BCM43xx     family Wi-Fi Chips component that allows an     unauthenticated, remote attacker to execute arbitrary     code. (CVE-2017-9417)

This update for curl fixes the following issues :

Security issue fixed :

  - CVE-2016-9586: libcurl printf floating point buffer     overflow (bsc#1015332)

  - CVE-2017-7407: The ourWriteOut function in     tool_writeout.c in curl might have allowed physically     proximate attackers to obtain sensitive information from     process memory in opportunistic circumstances by reading     a workstation screen during use of a --write-out     argument ending in a '%' character, which lead to a     heap-based buffer over-read (bsc#1032309).

With this release new default ciphers are active (SUSE_DEFAULT, bsc#1027712).

This update was imported from the SUSE:SLE-12:Update update project.

This update for curl fixes the following issues: These security issues were fixed :

  - CVE-2016-9586: libcurl printf floating point buffer     overflow (bsc#1015332)

  - CVE-2017-7407: The ourWriteOut function in     tool_writeout.c in curl might have allowed physically     proximate attackers to obtain sensitive information from     process memory in opportunistic circumstances by reading     a workstation screen during use of a --write-out     argument ending in a '%' character, which lead to a     heap-based buffer over-read (bsc#1032309).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for curl fixes the following issues: Security issue fixed :

  - CVE-2016-9586: libcurl printf floating point buffer     overflow (bsc#1015332)

  - CVE-2017-7407: The ourWriteOut function in     tool_writeout.c in curl might have allowed physically     proximate attackers to obtain sensitive information from     process memory in opportunistic circumstances by reading     a workstation screen during use of a --write-out     argument ending in a '%' character, which lead to a     heap-based buffer over-read (bsc#1032309). With this     release new default ciphers are active (SUSE_DEFAULT,     bsc#1027712).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is running a version of macOS that is 10.12.x prior to 10.12.4. It is, therefore, affected by multiple vulnerabilities in multiple components, some of which are remote code execution vulnerabilities. An unauthenticated, remote attacker can exploit these remote code execution vulnerabilities by convincing a user to visit a specially crafted website, resulting in the execution of arbitrary code in the context of the current user. The affected components are as follows :

  - apache
  - apache_mod_php
  - AppleGraphicsPowerManagement
  - AppleRAID
  - Audio
  - Bluetooth
  - Carbon
  - CoreGraphics
  - CoreMedia
  - CoreText
  - curl
  - EFI
  - FinderKit
  - FontParser
  - HTTPProtocol
  - Hypervisor
  - iBooks
  - ImageIO
  - Intel Graphics Driver
  - IOATAFamily
  - IOFireWireAVC
  - IOFireWireFamily
  - Kernel
  - Keyboards
  - libarchive
  - libc++abi
  - LibreSSL
  - MCX Client
  - Menus
  - Multi-Touch
  - OpenSSH
  - OpenSSL
  - Printing
  - python
  - QuickTime
  - Security
  - SecurityFoundation
  - sudo
  - System Integrity Protection
  - tcpdump
  - tiffutil
  - WebKit

libcurl's implementation of the printf() functions triggers a buffer overflow when doing a large floating point output. If there are any application that accepts a format string from the outside without necessary input filtering, it could allow remote attacks. This flaw does not exist in the command line tool.

The remote host is affected by the vulnerability described in GLSA-201701-47 (cURL: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in cURL. Please review the       CVE identifiers and bug reports referenced for details.
  Impact :

    Remote attackers could conduct a Man-in-the-Middle attack to obtain       sensitive information, cause a Denial of Service condition, or execute       arbitrary code.
  Workaround :

    There is no known workaround at this time.

- fix floating point buffer overflow issues     (CVE-2016-9586)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that libcurl's implementation of the printf() functions triggers a buffer overflow when doing a large floating point output. The bug occurs when the conversion outputs more than 255 bytes.

The flaw happens because the floating point conversion is using system functions without the correct boundary checks.

If there are any application that accepts a format string from the outside without necessary input filtering, it could allow remote attacks.

This flaw does not exist in the command line tool.

For Debian 7 'Wheezy', these problems have been fixed in version 7.26.0-1+wheezy18.

We recommend that you upgrade your curl packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The cURL project reports : printf floating point buffer overflow libcurl's implementation of the printf() functions triggers a buffer overflow when doing a large floating point output. The bug occurs when the conversion outputs more than 255 bytes.

ID	Name	Product	Family	Severity
125002	EulerOS Virtualization 3.0.1.0 : curl (EulerOS-SA-2019-1549)	Nessus	Huawei Local Security Checks	high
118753	Debian DLA-1568-1 : curl security update	Nessus	Debian Local Security Checks	high
118418	EulerOS Virtualization 2.5.0 : curl (EulerOS-SA-2018-1330)	Nessus	Huawei Local Security Checks	high
110867	EulerOS 2.0 SP3 : curl (EulerOS-SA-2018-1203)	Nessus	Huawei Local Security Checks	high
110866	EulerOS 2.0 SP2 : curl (EulerOS-SA-2018-1202)	Nessus	Huawei Local Security Checks	medium
103773	Ubuntu 14.04 LTS / 16.04 LTS / 17.04 : curl vulnerabilities (USN-3441-1)	Nessus	Ubuntu Local Security Checks	medium
102910	SUSE SLES11 Security Update : curl (SUSE-SU-2017:2312-1)	Nessus	SuSE Local Security Checks	medium
700170	Mac OS X 10.x < 10.12.6 Multiple Vulnerabilities	Nessus Network Monitor	Operating System Detection	critical
101957	macOS and Mac OS X Multiple Vulnerabilities (Security Update 2017-003)	Nessus	MacOS X Local Security Checks	high
99702	openSUSE Security Update : curl (openSUSE-2017-513)	Nessus	SuSE Local Security Checks	medium
99465	SUSE SLES11 Security Update : curl (SUSE-SU-2017:1043-1)	Nessus	SuSE Local Security Checks	medium
99464	SUSE SLED12 / SLES12 Security Update : curl (SUSE-SU-2017:1042-1)	Nessus	SuSE Local Security Checks	medium
99134	macOS 10.12.x < 10.12.4 Multiple Vulnerabilities (httpoxy)	Nessus	MacOS X Local Security Checks	critical
97896	Amazon Linux AMI : curl (ALAS-2017-806)	Nessus	Amazon Linux Local Security Checks	medium
96644	GLSA-201701-47 : cURL: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
96209	Fedora 24 : curl (2016-86d2b5aefb)	Nessus	Fedora Local Security Checks	medium
96183	Debian DLA-767-1 : curl security update	Nessus	Debian Local Security Checks	medium
96160	Fedora 25 : curl (2016-edbb33ab2e)	Nessus	Fedora Local Security Checks	medium
96086	FreeBSD : cURL -- buffer overflow (42880202-c81c-11e6-a9a5-b499baebfeaf)	Nessus	FreeBSD Local Security Checks	medium

CVE-2016-9586

MEDIUM

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins

high

high

high

high

medium

medium

medium

critical

high

medium

medium

medium

critical

medium

high

medium

medium

medium

medium