FreeBSD : cURL -- Escape and unescape integer overflows (b018121b-7a4b-11e6-bf52-b499baebfeaf)

This script is Copyright (C) 2016 Tenable Network Security, Inc.


Synopsis :

The remote FreeBSD host is missing a security-related update.

Description :

The cURL project reports

The four libcurl functions curl_escape(), curl_easy_escape(),
curl_unescape and curl_easy_unescape perform string URL percent
escaping and unescaping. They accept custom string length inputs in
signed integer arguments.

The provided string length arguments were not properly checked and due
to arithmetic in the functions, passing in the length 0xffffffff
(2^32-1 or UINT_MAX or even just -1) would end up causing an
allocation of zero bytes of heap memory that curl would attempt to
write gigabytes of data into.

See also :

https://curl.haxx.se/docs/adv_20160914.html
http://www.nessus.org/u?8776458c

Solution :

Update the affected package.

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)

Family: FreeBSD Local Security Checks

Nessus Plugin ID: 93498 ()

Bugtraq ID:

CVE ID: CVE-2016-7167

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now