[3.3] curl: printf floating point buffer overflow (CVE-2016-9586)
libcurl’s implementation of the printf() functions triggers a buffer
overflow
when doing a large floating point output. The bug occurs when the
conversion
outputs more than 255 bytes.
Affected versions:
libcurl 7.1 to and including 7.51.0
Fixed in:
libcurl 7.52.0 (note that 7.52.0 introduce new vulnerability. https://curl.haxx.se/docs/adv\_20161223.html)
References:
https://curl.haxx.se/docs/adv\_20161221A.html
http://seclists.org/oss-sec/2016/q4/719
Patch:
https://curl.haxx.se/CVE-2016-9586.patch
(from redmine: issue id 6600, created on 2016-12-29, closed on 2017-01-10)
- Relations:
- parent #6598 (closed)
- Changesets:
- Revision 8a5e3005 by Sergei Lukin on 2017-01-09T15:33:07Z:
main/curl: security upgrade to 7.52.1 - fixes #6600
CVE-2016-9594: unititialized random
CVE-2016-9586: printf floating point buffer overflow
CVE-2016-9952: Win CE schannel cert wildcard matches too much
CVE-2016-9953: Win CE schannel cert name out of buffer read
CVE-2016-8625: IDNA 2003 makes curl use wrong host
https://curl.haxx.se/changes.html