CVE-2017-8817 - log back

CVE-2017-8817 created at 25 Sep 2019 19:31:40
Severity
+ Medium
Remote
+ Remote
Type
+ Information disclosure
Description
+ A read out of bounds flaw has been found in the FTP wildcard function of libcurl >= 7.21.0 and < 7.57.0. libcurl's FTP wildcard matching feature, which is enabled with the `CURLOPT_WILDCARDMATCH` option can use a built-in wildcard function or a user provided one. The built-in wildcard function has a flaw that makes it not detect the end of the pattern string if it ends with an open bracket (`[`) but instead it will continue reading the heap beyond the end of the URL buffer that holds the wildcard.
+ For applications that use HTTP(S) URLs, allow libcurl to handle redirects and have FTP wildcards enabled, this flaw can be triggered by malicious servers that can redirect clients to a URL using such a wildcard pattern.
References
+ https://curl.haxx.se/docs/adv_2017-ae72.html
+ https://curl.haxx.se/CVE-2017-8817.patch
+ https://github.com/curl/curl/commit/0b664ba968437715819bfe4c7ada5679d16ebbc3
Notes
+ Introduced by: https://github.com/curl/curl/commit/0825cd80a62c21725fb3615f1fdd3aa6cc5f0f34