{"id":"CURL-CVE-2016-8620","summary":"glob parser write/read out of bounds","details":"The curl tool's \"globbing\" feature allows a user to specify a numerical range\nthrough which curl iterates. It is typically specified as `[1-5]`, specifying\nthe first and the last numbers in the range. Or with `[a-z]`, using letters.\n\n1. The curl code for parsing the second *unsigned* number did not check for a\nleading minus character, which allowed a user to specify `[1--1]` with no\ncomplaints and have the latter `-1` number get turned into the largest\nunsigned long value the system can handle. This would ultimately cause curl to\nwrite outside the dedicated heap allocated buffer after no less than 100,000\niterations, since it would have room for 5 digits but not 6.\n\n2. When the range is specified with letters, and the ending letter is left out\n`[L-]`, the code would still advance its read pointer 5 bytes even if the\nstring was just 4 bytes and end up reading outside the given buffer.\n\nThis flaw exists only in the curl tool, not in the libcurl library.","aliases":["CVE-2016-8620"],"modified":"2024-06-07T13:53:51Z","published":"2016-11-02T08:00:00Z","database_specific":{"www":"https://curl.se/docs/CVE-2016-8620.html","package":"curl","URL":"https://curl.se/docs/CVE-2016-8620.json","last_affected":"7.50.3","affects":"tool","severity":"Medium","CWE":{"id":"CWE-122","desc":"Heap-based Buffer Overflow"}},"affected":[{"ranges":[{"type":"SEMVER","events":[{"introduced":"7.34.0"},{"fixed":"7.51.0"}]}],"versions":["7.50.3","7.50.2","7.50.1","7.50.0","7.49.1","7.49.0","7.48.0","7.47.1","7.47.0","7.46.0","7.45.0","7.44.0","7.43.0","7.42.1","7.42.0","7.41.0","7.40.0","7.39.0","7.38.0","7.37.1","7.37.0","7.36.0","7.35.0","7.34.0"],"database_specific":{"source":"https://curl.se/docs/CURL-CVE-2016-8620.json"}}],"schema_version":"1.7.3","credits":[{"name":"Luật Nguyễn","type":"FINDER"},{"name":"Daniel Stenberg","type":"REMEDIATION_DEVELOPER"}]}