Date: Fri, 11 Aug 2017 12:17:52 -0700 From: Yiteng Zhang <yiteng.zhang@...cle.com> To: oss-security@...ts.openwall.com, curl security announcements -- curl users <curl-users@...l.haxx.se>, curl-announce@...l.haxx.se, libcurl hacking <curl-library@...l.haxx.se> Subject: Re: [SECURITY ADVISORY] curl: FILE buffer read out of bounds Bug Filed: 26620281 - CVE-2017-1000099 curl: FILE buffer read out of bounds Yiteng On 08/ 8/17 11:05 PM, Daniel Stenberg wrote: > FILE buffer read out of bounds > ============================== > > Project curl Security Advisory, August 9th 2017 - > [Permalink](https://curl.haxx.se/docs/adv_20170809C.html) > > VULNERABILITY > ------------- > > When asking to get a file from a file:// URL, libcurl provides a > feature that > outputs meta-data about the file using HTTP-like headers. > > The code doing this would send the wrong buffer to the user (stdout or > the > application's provide callback), which could lead to other private > data from > the heap to get inadvertently displayed. > > The wrong buffer was an uninitialized memory area allocated on the > heap and if > it turned out to not contain any zero byte, it would continue and > display the > data following that buffer in memory. > > We are not aware of any exploit of this flaw. > > INFO > ---- > > This flaw also affects the curl command line tool. > > The Common Vulnerabilities and Exposures (CVE) project has assigned > the name > CVE-2017-1000099 to this issue. > > AFFECTED VERSIONS > ----------------- > > This bug has been was pushed to curl in commit > [7c312f84ea930d8](https://github.com/curl/curl/commit/7c312f84ea930d8), > April > 2017. > > - Affected versions: libcurl 7.54.1 > - Not affected versions: libcurl < 7.54.1 and >= 7.55.0 > > libcurl is used by many applications, but not always advertised as such. > > THE SOLUTION > ------------ > > The function now sends the correct buffer to the application. > > A [patch for > CVE-2017-1000099](https://curl.haxx.se/CVE-2017-1000099.patch) is > available. > > RECOMMENDATIONS > --------------- > > We suggest you take one of the following actions immediately, in order of > preference: > > A - Upgrade curl and libcurl to version 7.55.0 > > B - Apply the patch to your version and rebuild > > C - Do not use `CURLOPT_NOBODY` *and* `CURLOPT_HEADER` with file:// URLs > > TIME LINE > --------- > > It was reported to the curl project on July 15, 2017. We contacted > distros@...nwall on August 1. > > libcurl 7.55.0 was released on August 9 2017, coordinated with the > publication > of this advisory. > > CREDITS > ------- > > Reported by Even Rouault. Discovery: credit to OSS-Fuzz. Patch by Even > Rouault. > > Thanks a lot! >
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ