{"id":"MGASA-2017-0281","summary":"Updated curl packages fix security vulnerabilities","details":"When asking to get a file from a file:// URL, libcurl provides a feature that\noutputs meta-data about the file using HTTP-like headers. The code doing this\nwould send the wrong buffer to the user (stdout or the application's provide\ncallback), which could lead to other private data from the heap to get\ninadvertently displayed. The wrong buffer was an uninitialized memory area\nallocated on the heap and if it turned out to not contain any zero byte, it\nwould continue and display the data following that buffer in memory\n(CVE-2017-1000099).\n\nWhen doing a TFTP transfer and curl/libcurl is given a URL that contains a very\nlong file name (longer than about 515 bytes), the file name is truncated to fit\nwithin the buffer boundaries, but the buffer size is still wrongly updated to\nuse the untruncated length. This too large value is then used in the sendto()\ncall, making curl attempt to send more data than what is actually put into the\nbuffer. The sendto() function will then read beyond the end of the heap based\nbuffer. A malicious HTTP(S) server could redirect a vulnerable libcurl-using\nclient to a crafted TFTP URL (if the client hasn't restricted which protocols\nit allows redirects to) and trick it to send private memory contents to a\nremote server over UDP. Limit curl's redirect protocols with --proto-redir and\nlibcurl's with CURLOPT_REDIR_PROTOCOLS (CVE-2017-1000100).\n\ncurl supports \"globbing\" of URLs, in which a user can pass a numerical range to\nhave the tool iterate over those numbers to do a sequence of transfers. In the\nglobbing function that parses the numerical range, there was an omission that\nmade curl read a byte beyond the end of the URL if given a carefully crafted,\nor just wrongly written, URL. The URL is stored in a heap based buffer, so it\ncould then be made to wrongly read something else instead of crashing\n(CVE-2017-1000101).\n","modified":"2026-02-04T04:39:47.463285Z","published":"2017-08-19T09:58:33Z","related":["CVE-2017-1000099","CVE-2017-1000100","CVE-2017-1000101"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2017-0281.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=21481"},{"type":"REPORT","url":"https://curl.haxx.se/docs/adv_20170809A.html"},{"type":"REPORT","url":"https://curl.haxx.se/docs/adv_20170809B.html"},{"type":"REPORT","url":"https://curl.haxx.se/docs/adv_20170809C.html"}],"affected":[{"package":{"name":"curl","ecosystem":"Mageia:6","purl":"pkg:rpm/mageia/curl?arch=source&distro=mageia-6"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"7.54.1-2.2.mga6"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2017-0281.json"}}],"schema_version":"1.7.3","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}