CVE-2017-1000100

Source
Severity Medium
Remote Yes
Type Information disclosure
Description
An information disclosure issue has been found in curl < 7.55.0. When doing a TFTP transfer and curl/libcurl is given a URL that contains a very long file name (longer than about 515 bytes), the file name is truncated to fit within the buffer boundaries, but the buffer size is still wrongly updated to use the untruncated length. This too large value is then used in the sendto() call, making curl attempt to send more data than what is actually put into the buffer. The sendto() function will then read beyond the end of the heap based buffer.
A malicious HTTP(S) server could redirect a vulnerable libcurl-using client to a crafted TFTP URL (if the client hasn't restricted which protocols it allows redirects to) and trick it to send private memory contents to a remote server over UDP.
Group Package Affected Fixed Severity Status Ticket
AVG-389 libcurl-compat 7.54.1-1 7.56.0-1 Medium Fixed
AVG-388 lib32-libcurl-compat 7.54.1-1 7.56.0-1 Medium Fixed
AVG-387 libcurl-gnutls 7.54.1-1 7.56.0-1 Medium Fixed
AVG-386 lib32-libcurl-gnutls 7.54.1-1 7.56.0-1 Medium Fixed
AVG-371 lib32-curl 7.54.1-2 7.56.0-1 Medium Fixed
AVG-370 curl 7.54.1-2 7.55-1 Medium Fixed
Date Advisory Group Package Severity Description
05 Oct 2017 ASA-201710-7 AVG-389 libcurl-compat Medium multiple issues
05 Oct 2017 ASA-201710-6 AVG-388 lib32-libcurl-compat Medium multiple issues
05 Oct 2017 ASA-201710-5 AVG-387 libcurl-gnutls Medium multiple issues
05 Oct 2017 ASA-201710-4 AVG-386 lib32-libcurl-gnutls Medium multiple issues
05 Oct 2017 ASA-201710-3 AVG-371 lib32-curl Medium multiple issues
22 Aug 2017 ASA-201708-16 AVG-370 curl Medium information disclosure
References
https://curl.haxx.se/docs/adv_20170809B.html
https://curl.haxx.se/CVE-2017-1000100.patch