{"id":"CURL-CVE-2017-7407","summary":"--write-out out of buffer read","details":"There were two bugs in curl's parser for the command line option `--write-out`\n(or `-w` for short) that would skip the end of string zero byte if the string\nended in a `%` (percent) or `\\` (backslash), and it would read beyond that\nbuffer in the heap memory and it could then potentially output pieces of that\nmemory to the terminal or the target file etc.\n\nThe curl security team did not report this as a security vulnerability due to\nthe minimal risk: the memory this would output comes from the process the user\nitself invokes and that runs with the same privileges as the user. We could\nnot come up with a likely scenario where this could leak other users' data or\nmemory contents.\n\nAn external party registered this as a CVE with MITRE and we feel a\nresponsibility to clarify what this flaw is about. The CVE-2017-7407 issue is\nspecifically only about the `%` part of this flaw.\n\nThis flaw only exists in the command line tool.","aliases":["CVE-2017-7407"],"modified":"2024-12-18T10:24:02Z","published":"2017-04-03T08:00:00Z","database_specific":{"last_affected":"7.53.1","severity":"Medium","URL":"https://curl.se/docs/CVE-2017-7407.json","CWE":{"id":"CWE-126","desc":"Buffer Over-read"},"package":"curl","affects":"tool","www":"https://curl.se/docs/CVE-2017-7407.html"},"affected":[{"ranges":[{"type":"SEMVER","events":[{"introduced":"6.5"},{"fixed":"7.54.0"}]},{"type":"GIT","repo":"https://github.com/curl/curl.git","events":[{"introduced":"d073ec0a719bfad28b791f1ead089be655b896e9"},{"fixed":"8e65877870c1fac920b65219adec720df810aab9"}]}],"versions":["7.53.1","7.53.0","7.52.1","7.52.0","7.51.0","7.50.3","7.50.2","7.50.1","7.50.0","7.49.1","7.49.0","7.48.0","7.47.1","7.47.0","7.46.0","7.45.0","7.44.0","7.43.0","7.42.1","7.42.0","7.41.0","7.40.0","7.39.0","7.38.0","7.37.1","7.37.0","7.36.0","7.35.0","7.34.0","7.33.0","7.32.0","7.31.0","7.30.0","7.29.0","7.28.1","7.28.0","7.27.0","7.26.0","7.25.0","7.24.0","7.23.1","7.23.0","7.22.0","7.21.7","7.21.6","7.21.5","7.21.4","7.21.3","7.21.2","7.21.1","7.21.0","7.20.1","7.20.0","7.19.7","7.19.6","7.19.5","7.19.4","7.19.3","7.19.2","7.19.1","7.19.0","7.18.2","7.18.1","7.18.0","7.17.1","7.17.0","7.16.4","7.16.3","7.16.2","7.16.1","7.16.0","7.15.5","7.15.4","7.15.3","7.15.2","7.15.1","7.15.0","7.14.1","7.14.0","7.13.2","7.13.1","7.13.0","7.12.3","7.12.2","7.12.1","7.12.0","7.11.2","7.11.1","7.11.0","7.10.8","7.10.7","7.10.6","7.10.5","7.10.4","7.10.3","7.10.2","7.10.1","7.10","7.9.8","7.9.7","7.9.6","7.9.5","7.9.4","7.9.3","7.9.2","7.9.1","7.9","7.8.1","7.8","7.7.3","7.7.2","7.7.1","7.7","7.6.1","7.6","7.5.2","7.5.1","7.5","7.4.2","7.4.1","7.4","7.3","7.2.1","7.2","7.1.1","7.1","6.5.2","6.5.1","6.5"],"database_specific":{"source":"https://curl.se/docs/CURL-CVE-2017-7407.json","vanir_signatures":[{"digest":{"function_hash":"181775609377580021629830941294468531518","length":5521},"signature_version":"v1","id":"CURL-CVE-2017-7407-2bb1459c","deprecated":false,"source":"https://github.com/curl/curl.git/commit/8e65877870c1fac920b65219adec720df810aab9","signature_type":"Function","target":{"file":"src/tool_writeout.c","function":"ourWriteOut"}},{"digest":{"threshold":0.9,"line_hashes":["323529524803096925274629774694826142887","93201206775415248641080112506580979891","255254953096829773134560247640764640484","152623425089889993602321028291981311279","152563424797949515551240558116787247461"]},"signature_version":"v1","id":"CURL-CVE-2017-7407-a67fdb31","deprecated":false,"source":"https://github.com/curl/curl.git/commit/8e65877870c1fac920b65219adec720df810aab9","signature_type":"Line","target":{"file":"src/tool_writeout.c"}}]}}],"schema_version":"1.7.3","credits":[{"name":"Brian Carpenter (Geeknik Labs)","type":"FINDER"},{"name":"Daniel Stenberg","type":"REMEDIATION_DEVELOPER"}]}