libcurl's (new) internal function that returns a good 32bit
random value was implemented poorly and overwrote the pointer
instead of writing the value into the buffer the pointer
pointed to.
This random value is used to generate nonces for Digest and
NTLM authentication, for generating boundary strings in HTTP
formposts and more. Having a weak or virtually non-existent
random there makes these operations vulnerable.
This function is brand new in 7.52.0 and is the result of an
overhaul to make sure libcurl uses strong random as much as
possible - provided by the backend TLS crypto libraries when
present. The faulty function was introduced in this commit.
We are not aware of any exploit of this flaw.