CLD-161 Details

Other IDs this deficiency may be known by:

CVE ID CVE-2017-8816 (nvd) (mitre) (debian) (archlinux) (red hat) (suse) (ubuntu)
Other ID(s) adv_2017-12e7

Basic Information:

Affected Package(s) curl
Deficiency Type SECURITY
Date Created 2017-11-29 09:05:08
Date Last Modified 2017-11-29 15:00:15

Version Specific Information:

Cucumber 1.0 i686fixed in curl-7.57.0-i686-1
Cucumber 1.0 x86_64not affected

Cucumber 1.1 i686 fixed in curl-7.57.0-i686-1
Cucumber 1.1 x86_64 not affected


================================ Initial Report ================================

From Curl Security (

libcurl contains a buffer overrun flaw in the NTLM authentication code.

The internal function Curl_ntlm_core_mk_ntlmv2_hash sums up the lengths of the
user name + password (= SUM) and multiplies the sum by two (= SIZE) to figure
out how large storage to allocate from the heap.

The SUM value is subsequently used to iterate over the input and generate output
into the storage buffer. On systems with a 32 bit size_t, the math to calculate
SIZE triggers an integer overflow when the combined lengths of the user name and
password is larger than 2GB (2^31 bytes). This integer overflow usually causes a
very small buffer to actually get allocated instead of the intended very huge
one, making the use of that buffer end up in a buffer overrun.

We are not aware of any exploit of this flaw.

This bug was introduced in commit 86724581b6c02d160b5, January 2014.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2017-8816 to this issue.

================================= Our Analysis =================================

----- Affected Products -----
Curl versions after and including 7.36.0 but prior to 7.57.0 that have not had
this patch ( applied are vulnerable to
this vulnerability. 

This is buffer overrun vulnerability affecting systems with a 32 bit size_t.
This means that (in theory), only 32 bit versions of Cucumber Linux that are
running a vulnerable version of curl are affected.

As of Wed Nov 29 09:44:59 EST 2017, the following products are vulnerable to
this and will require patching:
	Cucumber Linux 1.0 i686
	Cucumber Linux 1.1 i686
The following products are not vulnerable; however, it is probably still a good
idea to apply this patch on them:
	Cucumber Linux 1.0 x86_64
	Cucumber Linux 1.1 x86_64

----- Scope and Impact of this Vulnerability -----
As of Wed Nov 29 09:44:59 EST 2017, there have been no reports of any exploit of
this flaw.

----- Fix for this Vulnerability -----
This vulnerability can be fixed by upgrading to curl 7.57.0 or applying the
patch at

================================= Our Solution =================================

We have upgraded to curl 7.57.0 to fix this vulnerability.