[3.4] curl: Multiple vulnerabilities (CVE-2017-1000100, CVE-2017-1000101)
CVE-2017-1000100: TFTP sends more than buffer size
When doing an TFTP upload and curl/libcurl is given a URL that contains
a very
long file name (longer than about 515 bytes), the file name is truncated
to
fit within the buffer boundaries, but the buffer size is still wrongly
updated
to use the untruncated length. This too large value is then used in
the
`send()` call, making curl attempt to send more data than what is
actually put
into the buffer. The `send()` function will then read beyond the end
of the
heap based buffer.
Affected versions: libcurl 7.15.0 to and including 7.54.1
Not affected versions: libcurl < 7.15.0 and >= 7.55.0
References:
https://curl.haxx.se/docs/adv\_20170809B.html
Patch:
https://curl.haxx.se/CVE-2017-1000100.patch
CVE-2017-1000101: URL globbing out of bounds read
In the globbing function that parses the numerical range, there was an
omission that made curl read a byte beyond the end of the URL if given
a
carefully crafted, or just wrongly written, URL. The URL is stored in a
heap
based buffer, so it could then be made to wrongly read something else
instead
of crashing.
Affected versions: curl 7.34.0 to and including 7.54.1
Not affected versions: curl < 7.34.0 and >= 7.55.0
References:
https://curl.haxx.se/docs/adv\_20170809A.html
Patch:
https://curl.haxx.se/CVE-2017-1000101.patch
(from redmine: issue id 7656, created on 2017-08-10, closed on 2017-08-14)
- Relations:
- parent #7652 (closed)
- Changesets:
- Revision 4a60b4d3 by Natanael Copa on 2017-08-14T09:03:25Z:
main/curl: security upgrade to 7.55.0
CVE-2017-1000099
CVE-2017-1000100
CVE-2017-1000101
fixes #7656