cnvd - cnvd-2017-28785

cnvd-2017-28785

Vulnerability from cnvd

Title: Haxx curl/libcURL堆缓冲区溢出漏洞

Description:

Haxx curl和libcurl都是瑞典Haxx公司的产品。curl是一套利用URL语法在命令行下工作的文件传输工具。libcurl是一个免费、开源的客户端URL传输库。

Haxx curl/libcURL中存在堆缓冲区溢出漏洞。攻击者可利用该漏洞在受影响应用程序上下文中执行任意代码或造成拒绝服务。

Severity: 高

Patch Name: Haxx curl/libcURL堆缓冲区溢出漏洞的补丁

Patch Description:

Haxx curl和libcurl都是瑞典Haxx公司的产品。curl是一套利用URL语法在命令行下工作的文件传输工具。libcurl是一个免费、开源的客户端URL传输库。

Haxx curl/libcURL中存在堆缓冲区溢出漏洞。攻击者可利用该漏洞在受影响应用程序上下文中执行任意代码或造成拒绝服务。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

厂商已发布了漏洞修复程序，请及时关注更新： https://curl.haxx.se/docs/adv_20170809B.html

Reference: https://curl.haxx.se/docs/adv_20170809B.html

Impacted products

Name
Haxx Libcurl/cURL

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2017-1000100"
    }
  },
  "description": "Haxx curl\u548clibcurl\u90fd\u662f\u745e\u5178Haxx\u516c\u53f8\u7684\u4ea7\u54c1\u3002curl\u662f\u4e00\u5957\u5229\u7528URL\u8bed\u6cd5\u5728\u547d\u4ee4\u884c\u4e0b\u5de5\u4f5c\u7684\u6587\u4ef6\u4f20\u8f93\u5de5\u5177\u3002libcurl\u662f\u4e00\u4e2a\u514d\u8d39\u3001\u5f00\u6e90\u7684\u5ba2\u6237\u7aefURL\u4f20\u8f93\u5e93\u3002\r\n\r\nHaxx curl/libcURL\u4e2d\u5b58\u5728\u5806\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5728\u53d7\u5f71\u54cd\u5e94\u7528\u7a0b\u5e8f\u4e0a\u4e0b\u6587\u4e2d\u6267\u884c\u4efb\u610f\u4ee3\u7801\u6216\u9020\u6210\u62d2\u7edd\u670d\u52a1\u3002",
  "discovererName": "Even Rouault",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://curl.haxx.se/docs/adv_20170809B.html",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2017-28785",
  "openTime": "2017-09-29",
  "patchDescription": "Haxx curl\u548clibcurl\u90fd\u662f\u745e\u5178Haxx\u516c\u53f8\u7684\u4ea7\u54c1\u3002curl\u662f\u4e00\u5957\u5229\u7528URL\u8bed\u6cd5\u5728\u547d\u4ee4\u884c\u4e0b\u5de5\u4f5c\u7684\u6587\u4ef6\u4f20\u8f93\u5de5\u5177\u3002libcurl\u662f\u4e00\u4e2a\u514d\u8d39\u3001\u5f00\u6e90\u7684\u5ba2\u6237\u7aefURL\u4f20\u8f93\u5e93\u3002\r\n\r\nHaxx curl/libcURL\u4e2d\u5b58\u5728\u5806\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5728\u53d7\u5f71\u54cd\u5e94\u7528\u7a0b\u5e8f\u4e0a\u4e0b\u6587\u4e2d\u6267\u884c\u4efb\u610f\u4ee3\u7801\u6216\u9020\u6210\u62d2\u7edd\u670d\u52a1\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Haxx curl/libcURL\u5806\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Haxx Libcurl/cURL"
  },
  "referenceLink": "https://curl.haxx.se/docs/adv_20170809B.html",
  "serverity": "\u9ad8",
  "submitTime": "2017-08-17",
  "title": "Haxx curl/libcURL\u5806\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e"
}

CVE-2017-1000100 (GCVE-0-2017-1000100)

Vulnerability from cvelistv5

Published

2017-10-04 01:00

Modified

2024-08-05 21:53

Severity ?

CWE

Summary

When doing a TFTP transfer and curl/libcurl is given a URL that contains a very long file name (longer than about 515 bytes), the file name is truncated to fit within the buffer boundaries, but the buffer size is still wrongly updated to use the untruncated length. This too large value is then used in the sendto() call, making curl attempt to send more data than what is actually put into the buffer. The endto() function will then read beyond the end of the heap based buffer. A malicious HTTP(S) server could redirect a vulnerable libcurl-using client to a crafted TFTP URL (if the client hasn't restricted which protocols it allows redirects to) and trick it to send private memory contents to a remote server over UDP. Limit curl's redirect protocols with --proto-redir and libcurl's with CURLOPT_REDIR_PROTOCOLS.

References

▼	URL	Tags
	https://support.apple.com/HT208221	x_refsource_CONFIRM
	http://www.securityfocus.com/bid/100286	vdb-entry, x_refsource_BID
	https://access.redhat.com/errata/RHSA-2018:3558	vendor-advisory, x_refsource_REDHAT
	https://security.gentoo.org/glsa/201709-14	vendor-advisory, x_refsource_GENTOO
	http://www.securitytracker.com/id/1039118	vdb-entry, x_refsource_SECTRACK
	https://curl.haxx.se/docs/adv_20170809B.html	x_refsource_CONFIRM
	http://www.debian.org/security/2017/dsa-3992	vendor-advisory, x_refsource_DEBIAN

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T21:53:06.527Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://support.apple.com/HT208221"
          },
          {
            "name": "100286",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/100286"
          },
          {
            "name": "RHSA-2018:3558",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2018:3558"
          },
          {
            "name": "GLSA-201709-14",
            "tags": [
              "vendor-advisory",
              "x_refsource_GENTOO",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/201709-14"
          },
          {
            "name": "1039118",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1039118"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://curl.haxx.se/docs/adv_20170809B.html"
          },
          {
            "name": "DSA-3992",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "http://www.debian.org/security/2017/dsa-3992"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "dateAssigned": "2017-08-22T00:00:00",
      "datePublic": "2017-10-03T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "When doing a TFTP transfer and curl/libcurl is given a URL that contains a very long file name (longer than about 515 bytes), the file name is truncated to fit within the buffer boundaries, but the buffer size is still wrongly updated to use the untruncated length. This too large value is then used in the sendto() call, making curl attempt to send more data than what is actually put into the buffer. The endto() function will then read beyond the end of the heap based buffer. A malicious HTTP(S) server could redirect a vulnerable libcurl-using client to a crafted TFTP URL (if the client hasn\u0027t restricted which protocols it allows redirects to) and trick it to send private memory contents to a remote server over UDP. Limit curl\u0027s redirect protocols with --proto-redir and libcurl\u0027s with CURLOPT_REDIR_PROTOCOLS."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-11-13T10:57:01",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://support.apple.com/HT208221"
        },
        {
          "name": "100286",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/100286"
        },
        {
          "name": "RHSA-2018:3558",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2018:3558"
        },
        {
          "name": "GLSA-201709-14",
          "tags": [
            "vendor-advisory",
            "x_refsource_GENTOO"
          ],
          "url": "https://security.gentoo.org/glsa/201709-14"
        },
        {
          "name": "1039118",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1039118"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://curl.haxx.se/docs/adv_20170809B.html"
        },
        {
          "name": "DSA-3992",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "http://www.debian.org/security/2017/dsa-3992"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "DATE_ASSIGNED": "2017-08-22T17:29:33.315894",
          "ID": "CVE-2017-1000100",
          "REQUESTER": "daniel@haxx.se",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "When doing a TFTP transfer and curl/libcurl is given a URL that contains a very long file name (longer than about 515 bytes), the file name is truncated to fit within the buffer boundaries, but the buffer size is still wrongly updated to use the untruncated length. This too large value is then used in the sendto() call, making curl attempt to send more data than what is actually put into the buffer. The endto() function will then read beyond the end of the heap based buffer. A malicious HTTP(S) server could redirect a vulnerable libcurl-using client to a crafted TFTP URL (if the client hasn\u0027t restricted which protocols it allows redirects to) and trick it to send private memory contents to a remote server over UDP. Limit curl\u0027s redirect protocols with --proto-redir and libcurl\u0027s with CURLOPT_REDIR_PROTOCOLS."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://support.apple.com/HT208221",
              "refsource": "CONFIRM",
              "url": "https://support.apple.com/HT208221"
            },
            {
              "name": "100286",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/100286"
            },
            {
              "name": "RHSA-2018:3558",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2018:3558"
            },
            {
              "name": "GLSA-201709-14",
              "refsource": "GENTOO",
              "url": "https://security.gentoo.org/glsa/201709-14"
            },
            {
              "name": "1039118",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1039118"
            },
            {
              "name": "https://curl.haxx.se/docs/adv_20170809B.html",
              "refsource": "CONFIRM",
              "url": "https://curl.haxx.se/docs/adv_20170809B.html"
            },
            {
              "name": "DSA-3992",
              "refsource": "DEBIAN",
              "url": "http://www.debian.org/security/2017/dsa-3992"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2017-1000100",
    "datePublished": "2017-10-04T01:00:00",
    "dateReserved": "2017-10-03T00:00:00",
    "dateUpdated": "2024-08-05T21:53:06.527Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted