CVE-2017-1000099 log

Source
Severity Low
Remote No
Type Information disclosure
Description
An information disclosure issue has been found in curl < 7.55.0. When asking to get a file from a file:// URL, libcurl provides a feature that outputs meta-data about the file using HTTP-like headers. The code doing this would send the wrong buffer to the user (stdout or the application's provide callback), which could lead to other private data from the heap to get inadvertently displayed. The wrong buffer was an uninitialized memory area allocated on the heap and if it turned out to not contain any zero byte, it would continue and display the data following that buffer in memory.
Group Package Affected Fixed Severity Status Ticket
AVG-389 libcurl-compat 7.54.1-1 7.56.0-1 Medium Fixed
AVG-388 lib32-libcurl-compat 7.54.1-1 7.56.0-1 Medium Fixed
AVG-387 libcurl-gnutls 7.54.1-1 7.56.0-1 Medium Fixed
AVG-386 lib32-libcurl-gnutls 7.54.1-1 7.56.0-1 Medium Fixed
AVG-371 lib32-curl 7.54.1-2 7.56.0-1 Medium Fixed
AVG-370 curl 7.54.1-2 7.55-1 Medium Fixed
Date Advisory Group Package Severity Description
05 Oct 2017 ASA-201710-7 AVG-389 libcurl-compat Medium multiple issues
05 Oct 2017 ASA-201710-6 AVG-388 lib32-libcurl-compat Medium multiple issues
05 Oct 2017 ASA-201710-5 AVG-387 libcurl-gnutls Medium multiple issues
05 Oct 2017 ASA-201710-4 AVG-386 lib32-libcurl-gnutls Medium multiple issues
05 Oct 2017 ASA-201710-3 AVG-371 lib32-curl Medium multiple issues
22 Aug 2017 ASA-201708-16 AVG-370 curl Medium information disclosure
References
https://curl.haxx.se/docs/adv_20170809C.html
https://curl.haxx.se/CVE-2017-1000099.patch