CVE-2016-9586

Published: 21 December 2016

curl before version 7.52.0 is vulnerable to a buffer overflow when doing a large floating point output in libcurl's implementation of the printf() functions. If there are any application that accepts a format string from the outside without necessary input filtering, it could allow remote attacks.

Priority

Low

CVSS 3 base score: 8.1

Status

Package Release Status
curl
Launchpad, Ubuntu, Debian
Upstream
Released (7.52.0)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (7.47.0-1ubuntu2.3)
Ubuntu 14.04 ESM (Trusty Tahr)
Released (7.35.0-1ubuntu2.11)
Patches:
Upstream: https://github.com/curl/curl/commit/3ab3c16db6a5674f53cf23d56512a405fde0b2c9
Upstream: https://curl.haxx.se/CVE-2016-9586.patch