Re: Call for advice regarding curl CVE-2016-9586
Hi,
2016-12-28 11:59 GMT+01:00 Ola Lundqvist :
> Thank you.
>
> It was added to dla-needed.txt one or two days ago.
I'm in the process of uploading the fixed packaga.
For the record curl_mprintf() is formatting floating point values in a
buggy way in
Wheezy's version and I have adapted the added tests to that.
The buggy formatting however did not prevent the stack-corruption from
occuring thus the fix was needed. :-)
Cheers,
Balint
>
> / Ola
>
> Sent from a phone
>
> Den 27 dec 2016 22:37 skrev "Antoine Beaupré" :
>>
>> On 2016-12-23 17:54:11, Ola Lundqvist wrote:
>> > Hi
>> >
>> > I have looked into CVE-2016-9586 affecting curl.
>> > What I'm trying to figure out is whether it is worth the effort to fix
>> > it or not.
>> >
>> > More info here:
>> > https://curl.haxx.se/docs/adv_20161221A.html
>> >
>> > 1) There are no known exploits -> minor issue (?)
>>
>> "No known exploits" is mostly irrelevant, the severity of the issue
>> is. In this case, a buffer overflow is severe enough to warrant action,
>> in my opinion.
>>
>> > 2) The functions have been documented as deprecated for a long time
>>
>> Considering how old the software in wheezy is, this may mean we still
>> have some of those tools. :)
>>
>> > 3) The problem only occur on applications without proper input
>> > sanitizing (and using curl_mprintf) so one could even argue that this
>> > is not really a fault in curl at all.
>>
>> This I am more convinced by: it's the format string, not the argument,
>> so it's less likely to be an attack vector. But as guido said, we can't
>> review all the instances and we should fix this anyways.
>>
>> A.
>> --
>> A man is none the less a slave because he is allowed to choose a new
>> master once in a term of years.
>> - Lysander Spooner
diff -Nru curl-7.26.0/debian/changelog curl-7.26.0/debian/changelog
--- curl-7.26.0/debian/changelog 2016-11-10 17:50:13.0 +0100
+++ curl-7.26.0/debian/changelog 2016-12-28 23:19:19.0 +0100
@@ -1,3 +1,17 @@
+curl (7.26.0-1+wheezy18) wheezy-security; urgency=medium
+
+ * Non-maintainer upload by the LTS Team.
+ * CVE-2016-9586
+libcurl's implementation of the printf() functions triggers a buffer
+overflow when doing a large floating point output. The bug occurs
+when the conversion outputs more than 255 bytes.
+If there are any application that accepts a format string from the outside
+without necessary input filtering, it could allow remote attacks.
+This flaw does not exist in the command line tool.
+(Closes: #848958)
+
+ -- Balint Reczey Wed, 28 Dec 2016 17:23:47 +0100
+
curl (7.26.0-1+wheezy17) wheezy-security; urgency=high
* Non-maintainer upload by the LTS Team.
diff -Nru curl-7.26.0/debian/patches/CVE-2016-9586.patch curl-7.26.0/debian/patches/CVE-2016-9586.patch
--- curl-7.26.0/debian/patches/CVE-2016-9586.patch 1970-01-01 01:00:00.0 +0100
+++ curl-7.26.0/debian/patches/CVE-2016-9586.patch 2016-12-29 01:47:22.0 +0100
@@ -0,0 +1,247 @@
+From 5b988c081e6224b2202f114a01742f76dea27c42 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg
+Date: Tue, 8 Nov 2016 15:32:37 +0100
+Subject: [PATCH] printf: fix floating point buffer overflow issues
+
+... and add a bunch of floating point printf tests
+
+Back-ported to curl 7.26 by Balint Reczey
+
+Conflicts:
+ tests/data/test557
+ tests/libtest/lib557.c
+---
+ lib/mprintf.c | 20 ++-
+ tests/data/test557 | 1 +
+ tests/libtest/lib557.c | 140 +
+ 3 files changed, 159 insertions(+), 2 deletions(-)
+
+--- a/lib/mprintf.c
b/lib/mprintf.c
+@@ -84,7 +84,8 @@
+ # define mp_uintmax_t unsigned long
+ #endif
+
+-#define BUFFSIZE 256 /* buffer for long-to-str and float-to-str calcs */
++#define BUFFSIZE 326 /* buffer for long-to-str and float-to-str calcs, should
++fit negative DBL_MAX (317 letters) */
+ #define MAX_PARAMETERS 128 /* lame static limit */
+
+ #ifdef __AMIGA__
+@@ -947,12 +948,25 @@
+ fptr=&formatbuf[strlen(formatbuf)];
+
+ if(width >= 0) {
++ if(width >= (long)sizeof(work))
++width = sizeof(work)-1;
+ /* RECURSIVE USAGE */
+ len = curl_msnprintf(fptr, left, "%ld", width);
+ fptr += len;
+ left -= len;
+ }
+ if(prec >= 0) {
++ /* for each digit in the integer part, we can have one less
++ precision */
++ size_t maxprec = sizeof(work) - 2;
++ double val = p->data.dnum;
++ while(val >= 10.0) {
++val /= 10;
++maxprec--;
++ }
++
++ if(prec > (long)maxprec)
++prec = maxprec-1;
+ /* RECURSIVE USAGE */
+ len = curl_msnprintf(fptr, left, ".%ld", prec);
+ fptr += len;
+@@ -972,7 +986,9 @@
+ /* NOTE NOTE NOTE!! Not all sprintf() implementations returns number
+of output characters */
+ (sprintf)(wor
Re: Call for advice regarding curl CVE-2016-9586
Thank you. It was added to dla-needed.txt one or two days ago. / Ola Sent from a phone Den 27 dec 2016 22:37 skrev "Antoine Beaupré" : > On 2016-12-23 17:54:11, Ola Lundqvist wrote: > > Hi > > > > I have looked into CVE-2016-9586 affecting curl. > > What I'm trying to figure out is whether it is worth the effort to fix > > it or not. > > > > More info here: > > https://curl.haxx.se/docs/adv_20161221A.html > > > > 1) There are no known exploits -> minor issue (?) > > "No known exploits" is mostly irrelevant, the severity of the issue > is. In this case, a buffer overflow is severe enough to warrant action, > in my opinion. > > > 2) The functions have been documented as deprecated for a long time > > Considering how old the software in wheezy is, this may mean we still > have some of those tools. :) > > > 3) The problem only occur on applications without proper input > > sanitizing (and using curl_mprintf) so one could even argue that this > > is not really a fault in curl at all. > > This I am more convinced by: it's the format string, not the argument, > so it's less likely to be an attack vector. But as guido said, we can't > review all the instances and we should fix this anyways. > > A. > -- > A man is none the less a slave because he is allowed to choose a new > master once in a term of years. > - Lysander Spooner >
Re: Call for advice regarding curl CVE-2016-9586
On 2016-12-23 17:54:11, Ola Lundqvist wrote: > Hi > > I have looked into CVE-2016-9586 affecting curl. > What I'm trying to figure out is whether it is worth the effort to fix > it or not. > > More info here: > https://curl.haxx.se/docs/adv_20161221A.html > > 1) There are no known exploits -> minor issue (?) "No known exploits" is mostly irrelevant, the severity of the issue is. In this case, a buffer overflow is severe enough to warrant action, in my opinion. > 2) The functions have been documented as deprecated for a long time Considering how old the software in wheezy is, this may mean we still have some of those tools. :) > 3) The problem only occur on applications without proper input > sanitizing (and using curl_mprintf) so one could even argue that this > is not really a fault in curl at all. This I am more convinced by: it's the format string, not the argument, so it's less likely to be an attack vector. But as guido said, we can't review all the instances and we should fix this anyways. A. -- A man is none the less a slave because he is allowed to choose a new master once in a term of years. - Lysander Spooner
Re: Call for advice regarding curl CVE-2016-9586
Hi Ola, On Fri, Dec 23, 2016 at 11:54:11PM +0100, Ola Lundqvist wrote: > Hi > > I have looked into CVE-2016-9586 affecting curl. > What I'm trying to figure out is whether it is worth the effort to fix > it or not. > > More info here: > https://curl.haxx.se/docs/adv_20161221A.html > > 1) There are no known exploits -> minor issue (?) This can change at any time. > 2) The functions have been documented as deprecated for a long time > 3) The problem only occur on applications without proper input > sanitizing (and using curl_mprintf) so one could even argue that this > is not really a fault in curl at all. > > Due to this I could argue that it would mean a no-dsa tag. > > However the patch is quite simple so maybe it would be worth fixing anyway. > Also it is for a library and we do not really know how libraries are > used. The curl_mvprintf functions seem to invoke dprintf_formatf so it would be time consuming to check if anythng in Debian is affected. Given the simplicity of the patch I'd rather fix it than not. Cheers, -- Guido > > So what do you think?
Call for advice regarding curl CVE-2016-9586
Hi I have looked into CVE-2016-9586 affecting curl. What I'm trying to figure out is whether it is worth the effort to fix it or not. More info here: https://curl.haxx.se/docs/adv_20161221A.html 1) There are no known exploits -> minor issue (?) 2) The functions have been documented as deprecated for a long time 3) The problem only occur on applications without proper input sanitizing (and using curl_mprintf) so one could even argue that this is not really a fault in curl at all. Due to this I could argue that it would mean a no-dsa tag. However the patch is quite simple so maybe it would be worth fixing anyway. Also it is for a library and we do not really know how libraries are used. So what do you think? Best regards // Ola -- --- Inguza Technology AB --- MSc in Information Technology / o...@inguza.comFolkebogatan 26\ | o...@debian.org 654 68 KARLSTAD| | http://inguza.com/Mobile: +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / ---
