Date: Tue, 4 Apr 2017 17:09:25 +0200 (CEST) From: Daniel Stenberg <daniel@...x.se> To: curl security announcements -- curl users <curl-users@...l.haxx.se>, curl-announce@...l.haxx.se, libcurl hacking <curl-library@...l.haxx.se>, oss-security@...ts.openwall.com Subject: [SECURITY ADVISORY] curl: --write-out out of buffer read --write-out out of buffer read ============================== Project curl Security Advisory, April 3, 2017 - [Permalink](https://curl.haxx.se/docs/adv_20170403.html) VULNERABILITY ------------- There were two bugs in curl's parser for the command line option `--write-out` (or `-w` for short) that would skip the end of string zero byte if the string ended in a `%` (percent) or `\` (backslash), and it would read beyond that buffer in the heap memory and it could then potentially output pieces of that memory to the terminal or the target file etc. The curl security team did not report this as a security vulnerability due to the minimal risk: the memory this would output comes from the process the user itself invokes and that runs with the same privileges as the user. We could not come up with a likely scenario where this could leak other users' data or memory contents. An external party registered this as a [CVE with mitre.org](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7407) and we feel a responsibility to clarify what this flaw is about. The CVE-2017-7407 issue is specifically only about the `%` part of this flaw. This flaw only exists in the command line tool. We are not aware of any exploit of this flaw. INFO ---- The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2017-7407 to this issue. AFFECTED VERSIONS ----------------- curl has supported this option since version 6.5 (released March 13, 2000). This flaw exists in the following curl versions. - Affected versions: 6.5 to and including 7.53.1 - Not affected versions: < 6.5 and >= 7.54.0 THE SOLUTION ------------ In version 7.54.0, the end of the buffer is properly acknowledged and we have added tests that verify this functionality. The curl project has (as of this writing) not yet released a version with this problem fixed. It is however already fixed in curl's git repository, commits [1890d59905414ab](https://github.com/curl/curl/commit/1890d59905414ab84a) and [8e65877870c1](https://github.com/curl/curl/commit/8e65877870c1). The fix is also available as a [stand-alone patch](https://curl.haxx.se/CVE-2017-7407.patch). RECOMMENDATIONS --------------- We suggest you take one of the following actions immediately, in order of preference: A - Upgrade curl and libcurl to version 7.54.0 B - Apply the patch to your version and rebuild C - Do not use the `--write-out` feature with unchecked input TIME LINE --------- It was first reported to the curl project on March 10. The Mitre CVE registration was [brought to our attention](https://github.com/curl/curl/commit/1890d59905414ab84a35892b2e45833654aa5c13#commitc omment-21618166) on April 4, 2017. The first commit to fix this was made public on March 11. curl 7.54.0 is to be released on April 19 2017 CREDITS ------- Reported to the curl project by Brian Carpenter -- / daniel.haxx.se
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.