Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2017-1000254  

When libcurl connects to an FTP server and successfully logs in (anonymous or not), it asks the server for the current directory with the `PWD` command. The server then responds with a 257 response containing the path, inside double quotes. The returned path name is then kept by libcurl for subsequent uses. Due to a flaw in the string parser for this directory name, a directory name passed like this but without a closing double quote would lead to libcurl not adding a trailing NUL byte to the buffer holding the name. When libcurl would then later access the string, it could read beyond the allocated heap buffer and crash or wrongly access data beyond the buffer, thinking it was part of the path. A malicious server could abuse this fact and effectively prevent libcurl-based clients to work with it - the PWD command is always issued on new FTP connections and the mistake has a high chance of causing a segfault.

Source
Severity Low

Remote Yes

Type Denial of service

Description 

When libcurl connects to an FTP server and successfully logs in (anonymous or not), it asks the server for the current directory with the `PWD` command. The server then responds with a 257 response containing the path, inside double quotes. The returned path name is then kept by libcurl for subsequent uses. Due to a flaw in the string parser for this directory name, a directory name passed like this but without a closing double quote would lead to libcurl not adding a trailing NUL byte to the buffer holding the name. When libcurl would then later access the string, it could read beyond the allocated heap buffer and crash or wrongly access data beyond the buffer, thinking it was part of the path. A malicious server could abuse this fact and effectively prevent libcurl-based clients to work with it - the PWD command is always issued on new FTP connections and the mistake has a high chance of causing a segfault.

AVG-422 curl 7.55.1-1 7.56.0-1 Low Fixed

AVG-389 libcurl-compat 7.54.1-1 7.56.0-1 Medium Fixed

AVG-388 lib32-libcurl-compat 7.54.1-1 7.56.0-1 Medium Fixed

AVG-387 libcurl-gnutls 7.54.1-1 7.56.0-1 Medium Fixed

AVG-386 lib32-libcurl-gnutls 7.54.1-1 7.56.0-1 Medium Fixed

AVG-371 lib32-curl 7.54.1-2 7.56.0-1 Medium Fixed

05 Oct 2017 ASA-201710-7 AVG-389 libcurl-compat Medium multiple issues

05 Oct 2017 ASA-201710-6 AVG-388 lib32-libcurl-compat Medium multiple issues

05 Oct 2017 ASA-201710-5 AVG-387 libcurl-gnutls Medium multiple issues

05 Oct 2017 ASA-201710-4 AVG-386 lib32-libcurl-gnutls Medium multiple issues

05 Oct 2017 ASA-201710-3 AVG-371 lib32-curl Medium multiple issues

05 Oct 2017 ASA-201710-2 AVG-422 curl Low denial of service 

https://curl.haxx.se/docs/adv_20171004.html
https://curl.haxx.se/CVE-2017-1000254.patch
https://github.com/curl/curl/commit/5ff2c5ff25750aba1a8f64fbcad8e5b891512584

Introduced by https://github.com/curl/curl/commit/415d2e7cb7dd4f40b7c857f0fba23487dcd030a0
Affected versions: libcurl 7.7 to and including 7.55.1
Not affected versions: libcurl < 7.7 and >= 7.56.0

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started