CVE-2016-8617

Vulnerability

The base64 encode function in curl versions prior to 7.51.0 contains an integer overflow vulnerability on 32-bit systems. When a large input (at least 1 GB) is provided via the CURLOPT_USERNAME option, the buffer size calculation can under-allocate, resulting in a heap buffer overflow [2][4]. The issue is in lib/base64.c in the base64_encode() function [3].

Exploitation

An attacker must be able to supply a very large username string (≥1 GB) to a curl operation on a 32-bit system. This could be achieved through a malicious server or by controlling the input to a client application using libcurl. The attacker does not need authentication; they only need to trigger the encoding of the large input. The overflow occurs during the base64 encoding process.

Impact

Successful exploitation leads to an out-of-bounds write on the heap, which can cause a crash or potentially allow arbitrary code execution in the context of the curl process. The vulnerability is rated as Important by Red Hat [2] and Medium by Red Hat [1].

Mitigation

The vulnerability is fixed in curl version 7.51.0. Users should upgrade to curl 7.51.0 or later. Red Hat has released updates for httpd24-curl (RHSA-2018:3558) [1] and JBoss Core Services (RHSA-2018:2486) [2]. Tenable LCE 4.8.2 also includes the fix [3]. No workaround is available; upgrading is the recommended action.