Your submission was sent successfully! Close

CVE-2016-8622

Published: 02 November 2016

The URL percent-encoding decode function in libcurl before 7.51.0 is called `curl_easy_unescape`. Internally, even if this function would be made to allocate a unscape destination buffer larger than 2GB, it would return that new length in a signed 32 bit integer variable, thus the length would get either just truncated or both truncated and turned negative. That could then lead to libcurl writing outside of its heap based buffer.

Priority

Medium

CVSS 3 base score: 9.8

Status

Package Release Status
curl
Launchpad, Ubuntu, Debian
Upstream
Released (7.51.0)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (7.47.0-1ubuntu2.2)
Ubuntu 14.04 ESM (Trusty Tahr)
Released (7.35.0-1ubuntu2.10)