CVE-2017-8817 log

Source
Severity Medium
Remote Yes
Type Information disclosure
Description
A read out of bounds flaw has been found in the FTP wildcard function of libcurl >= 7.21.0 and < 7.57.0. libcurl's FTP wildcard matching feature, which is enabled with the `CURLOPT_WILDCARDMATCH` option can use a built-in wildcard function or a user provided one. The built-in wildcard function has a flaw that makes it not detect the end of the pattern string if it ends with an open bracket (`[`) but instead it will continue reading the heap beyond the end of the URL buffer that holds the wildcard.
For applications that use HTTP(S) URLs, allow libcurl to handle redirects and have FTP wildcards enabled, this flaw can be triggered by malicious servers that can redirect clients to a URL using such a wildcard pattern.
Group Package Affected Fixed Severity Status Ticket
AVG-526 libcurl-compat 7.56.1-1 7.57.0-1 Medium Fixed
AVG-525 libcurl-gnutls 7.56.1-1 7.57.0-1 Medium Fixed
AVG-524 curl 7.56.1-1 7.57.0-1 Medium Fixed
AVG-523 lib32-libcurl-gnutls 7.56.1-1 7.57.0-1 High Fixed
AVG-522 lib32-libcurl-compat 7.56.1-1 7.57.0-1 High Fixed
AVG-521 lib32-curl 7.56.1-1 7.57.0-1 High Fixed
Date Advisory Group Package Severity Description
30 Nov 2017 ASA-201711-38 AVG-522 lib32-libcurl-compat High multiple issues
30 Nov 2017 ASA-201711-37 AVG-523 lib32-libcurl-gnutls High multiple issues
30 Nov 2017 ASA-201711-36 AVG-521 lib32-curl High multiple issues
30 Nov 2017 ASA-201711-35 AVG-526 libcurl-compat Medium information disclosure
30 Nov 2017 ASA-201711-34 AVG-525 libcurl-gnutls Medium information disclosure
30 Nov 2017 ASA-201711-33 AVG-524 curl Medium information disclosure
References
https://curl.haxx.se/docs/adv_2017-ae72.html
https://curl.haxx.se/CVE-2017-8817.patch
https://github.com/curl/curl/commit/0b664ba968437715819bfe4c7ada5679d16ebbc3
Notes
Introduced by: https://github.com/curl/curl/commit/0825cd80a62c21725fb3615f1fdd3aa6cc5f0f34