Debian Bug report logs -
#871554
curl: CVE-2017-1000101: URL globbing out of bounds read
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 9 Aug 2017 07:03:02 UTC
Severity: important
Tags: fixed-upstream, patch, security, upstream
Found in version curl/7.38.0-4
Fixed in versions curl/7.55.0-1, curl/7.52.1-5+deb9u1, curl/7.38.0-4+deb8u6
Done: Alessandro Ghedini <ghedo@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Alessandro Ghedini <ghedo@debian.org>:
Bug#871554; Package src:curl.
(Wed, 09 Aug 2017 07:03:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Alessandro Ghedini <ghedo@debian.org>.
(Wed, 09 Aug 2017 07:03:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: curl
Version: 7.38.0-4
Severity: important
Tags: upstream patch security fixed-upstream
Hi,
the following vulnerability was published for curl.
CVE-2017-1000101[0]:
URL globbing out of bounds read
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-1000101
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000101
[1] https://curl.haxx.se/docs/adv_20170809A.html
Regards,
Salvatore
Reply sent
to Alessandro Ghedini <ghedo@debian.org>:
You have taken responsibility.
(Sat, 12 Aug 2017 16:09:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 12 Aug 2017 16:09:03 GMT) (full text, mbox, link).
Message #10 received at 871554-close@bugs.debian.org (full text, mbox, reply):
Source: curl
Source-Version: 7.55.0-1
We believe that the bug you reported is fixed in the latest version of
curl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 871554@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Alessandro Ghedini <ghedo@debian.org> (supplier of updated curl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 12 Aug 2017 15:18:05 +0100
Source: curl
Binary: curl libcurl3 libcurl3-gnutls libcurl3-nss libcurl4-openssl-dev libcurl4-gnutls-dev libcurl4-nss-dev libcurl4-doc
Architecture: source
Version: 7.55.0-1
Distribution: unstable
Urgency: medium
Maintainer: Alessandro Ghedini <ghedo@debian.org>
Changed-By: Alessandro Ghedini <ghedo@debian.org>
Description:
curl - command line tool for transferring data with URL syntax
libcurl3 - easy-to-use client-side URL transfer library (OpenSSL flavour)
libcurl3-gnutls - easy-to-use client-side URL transfer library (GnuTLS flavour)
libcurl3-nss - easy-to-use client-side URL transfer library (NSS flavour)
libcurl4-doc - documentation for libcurl
libcurl4-gnutls-dev - development files and documentation for libcurl (GnuTLS flavour)
libcurl4-nss-dev - development files and documentation for libcurl (NSS flavour)
libcurl4-openssl-dev - development files and documentation for libcurl (OpenSSL flavour)
Closes: 871554 871555
Changes:
curl (7.55.0-1) unstable; urgency=medium
.
* New upstream release
- Fix TFTP sends more than buffer size as per CVE-2017-1000100
(Closes: #871555)
- Fix URL globbing out of bounds read as per CVE-2017-1000101
(Closes: #871554)
* Refresh patches and drop patches merged upstream
* Update Standards-Version to 4.0.1 (no changes needed)
* Drop -dbg package
Checksums-Sha1:
d9ad1d3c91bd3298a460280019373e294ce5ac1f 2712 curl_7.55.0-1.dsc
e29683d0cfd1f3ab264af27b2dea8fa0c086f1cf 3730165 curl_7.55.0.orig.tar.gz
ea28ee20edec0691846cb4b8a057c2d1a5224807 27528 curl_7.55.0-1.debian.tar.xz
71a45b5850bd901f46920e2c53dcdc0d262966d3 10782 curl_7.55.0-1_amd64.buildinfo
Checksums-Sha256:
1b2e9f9db9b691ae6b2377b7a6d68cfca635432266db7d3004b6f35969a037ab 2712 curl_7.55.0-1.dsc
dae1b1be34f5983e8d46917f2bdbb2335aecd0e57f777f4c32213da6a8050a80 3730165 curl_7.55.0.orig.tar.gz
92025c6f04f0d3770b7da488efc131c4960d52d2f1de3dbdce063d3ac7b00c31 27528 curl_7.55.0-1.debian.tar.xz
364f517d2f3984241c2e382a49ad42ccf2c0c144464adb601985fcc8ddacc8a9 10782 curl_7.55.0-1_amd64.buildinfo
Files:
a746af784d9bd9dde0a9702870bffa2a 2712 web optional curl_7.55.0-1.dsc
66b2b81489ada6a9de77bafae8dd21d8 3730165 web optional curl_7.55.0.orig.tar.gz
a365df863413cf2a5ecae3cc5a169864 27528 web optional curl_7.55.0-1.debian.tar.xz
92364075daae4d1cde28884d2ce2855d 10782 web optional curl_7.55.0-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEBsId305pBx+F583DbwzL4CFiRygFAlmPF/oACgkQbwzL4CFi
RygqYw//V5Edrdp/F0Iqd3CrPuls9aY0Fb9fWIOs9DBODC3w4+4AUtojevovu+Hr
imHaKlU5hWw+H5+/VAR4IB5Re+Y2fkTKhOaK3OYqlc10j/bdn3pEihZdmbK43Dl+
bIRP339jhsr1NEYQsjjRF34nHCGZj9BGsH5DBc3QS5UzBWwBzQmD8J7/voDdwITT
w+0tq11u7Q+0x+9V0eLH3LRAKykp/pgrsrnggdVQfI/y99vij4FFLPfEqVJHJiEe
wxAeQy+P5ehYf3mYu7IM8mNefrNR8PyiSo6wVCl/+m4kmRzLeN/YWWnhUNceII16
/phRQkW6pM5ZCf1pyy1lULu9hAi/dg8Rc9qhx/021RiphAbQ6HPh53vLhPLmN+rE
zruQOgBqkGzS/jtKhqinpJCs3cZddmWo/yTJkbpx9g+2W45hSoD4epAyDOr/IHpV
y2cCD/Jyjv49HQiGIptKleCWs7PJzDXb1/GQxHYtwZet7F9Yw6dicgHmc9/feLcr
5lJIRD37VZHd2MPUQzk/sagqdBzKFDDjCrgk+szQMz2NXkY5aP1JADtPv6JvFChE
MY7Bh89TvU2kZSvKmThI9oDJXGz8s/dte4UWZI8NZjQ+X652jo/a9bNNayVk6Yfa
7U6kXRurHq0oPX2sfYV7co19b/SzO06HRklMN1llV+AoZO5BTvs=
=tfM9
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 06 Oct 2017 07:27:08 GMT) (full text, mbox, link).
Bug unarchived.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 06 Oct 2017 19:39:04 GMT) (full text, mbox, link).
Marked as fixed in versions curl/7.38.0-4+deb8u6.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 06 Oct 2017 19:39:06 GMT) (full text, mbox, link).
Marked as fixed in versions curl/7.52.1-5+deb9u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 06 Oct 2017 19:39:07 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 26 Nov 2017 07:30:41 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:56:18 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon