![]() See How to fix? for Debian:8 relevant fixed versions and status. Note: Versions mentioned in the description apply only to the upstream zlib package and not the zlib package as distributed by Debian:8. ![]() ![]() There is no fixed version for Debian:8 glibc. Multiple stack-based buffer overflows in the GNU C Library (aka glibc or libc6) before 2.23 allow context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a long argument to the (1) nan, (2) nanf, or (3) nanl function. Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Debian:8. Upgrade Debian:8 curl to version 7.38.0-4+deb8u14 or higher. The actual payload data copied to the target buffer comes from the NTLMv2 type-2 response header. Such a 'large value' needs to be around 1000 bytes or more. This output data can grow larger than the local buffer if very large 'nt response' data is extracted from a previous NTLMv2 header provided by the malicious or broken HTTP server. The check that exists to prevent the local buffer from getting overflowed is implemented wrongly (using unsigned math) and as such it does not prevent the overflow from happening. The function creating an outgoing NTLM type-3 header ( lib/vauth/ntlm.c:Curl_auth_create_ntlm_type3_message()), generates the request HTTP header contents based on previously received data. Libcurl versions from 7.36.0 to before 7.64.0 are vulnerable to a stack-based buffer overflow. Upgrade Debian:8 curl to version 7.38.0-4+deb8u12 or higher. (This bug is almost identical to CVE-2017-8816.) Remediation This integer overflow usually causes a very small buffer to actually get allocated instead of the intended very huge one, making the use of that buffer end up in a heap buffer overflow. On systems with a 32 bit size_t, the math to calculate SUM triggers an integer overflow when the password length exceeds 2GB (2^31 bytes). ![]() The length value is then subsequently used to iterate over the password and generate output into the allocated storage buffer. The internal function Curl_ntlm_core_mk_nt_hash multiplies the length of the password by two (SUM) to figure out how large temporary storage area to allocate from the heap. ReferencesĬurl before version 7.61.1 is vulnerable to a buffer overrun in the NTLM authentication code. Upgrade Debian:8 curl to version 7.38.0-4+deb8u9 or higher. Sending the same set of headers to subsequent hosts is in particular a problem for applications that pass on custom Authorization: headers, as this header often contains privacy sensitive information or data that could allow others to impersonate the libcurl-using client's request. ![]() When asked to send custom headers in its HTTP requests, libcurl will send that set of headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP response code is returned, to the host mentioned in URL in the Location: response header value. Libcurl 7.1 through 7.57.0 might accidentally leak authentication data to third parties. Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Debian:8. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |