Debian Bug report logs -
#859500
curl: CVE-2017-7407
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 4 Apr 2017 12:15:01 UTC
Severity: normal
Tags: fixed-upstream, patch, security, upstream
Found in version curl/7.38.0-4
Fixed in version curl/7.52.1-4
Done: Alessandro Ghedini <ghedo@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Alessandro Ghedini <ghedo@debian.org>:
Bug#859500; Package src:curl.
(Tue, 04 Apr 2017 12:15:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Alessandro Ghedini <ghedo@debian.org>.
(Tue, 04 Apr 2017 12:15:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: curl
Version: 7.38.0-4
Severity: important
Tags: security patch upstream fixed-upstream
Hi,
the following vulnerability was published for curl.
CVE-2017-7407[0]:
| The ourWriteOut function in tool_writeout.c in curl 7.53.1 might allow
| physically proximate attackers to obtain sensitive information from
| process memory in opportunistic circumstances by reading a workstation
| screen during use of a --write-out argument ending in a '%' character,
| which leads to a heap-based buffer over-read.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-7407
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7407
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Severity set to 'normal' from 'important'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 04 Apr 2017 12:18:02 GMT) (full text, mbox, link).
Reply sent
to Alessandro Ghedini <ghedo@debian.org>:
You have taken responsibility.
(Sat, 08 Apr 2017 21:51:05 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 08 Apr 2017 21:51:06 GMT) (full text, mbox, link).
Message #12 received at 859500-close@bugs.debian.org (full text, mbox, reply):
Source: curl
Source-Version: 7.52.1-4
We believe that the bug you reported is fixed in the latest version of
curl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 859500@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Alessandro Ghedini <ghedo@debian.org> (supplier of updated curl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 08 Apr 2017 21:55:27 +0100
Source: curl
Binary: curl libcurl3 libcurl3-gnutls libcurl3-nss libcurl4-openssl-dev libcurl4-gnutls-dev libcurl4-nss-dev libcurl3-dbg libcurl4-doc
Architecture: source amd64 all
Version: 7.52.1-4
Distribution: unstable
Urgency: medium
Maintainer: Alessandro Ghedini <ghedo@debian.org>
Changed-By: Alessandro Ghedini <ghedo@debian.org>
Description:
curl - command line tool for transferring data with URL syntax
libcurl3 - easy-to-use client-side URL transfer library (OpenSSL flavour)
libcurl3-dbg - debugging symbols for libcurl (OpenSSL, GnuTLS and NSS flavours)
libcurl3-gnutls - easy-to-use client-side URL transfer library (GnuTLS flavour)
libcurl3-nss - easy-to-use client-side URL transfer library (NSS flavour)
libcurl4-doc - documentation for libcurl
libcurl4-gnutls-dev - development files and documentation for libcurl (GnuTLS flavour)
libcurl4-nss-dev - development files and documentation for libcurl (NSS flavour)
libcurl4-openssl-dev - development files and documentation for libcurl (OpenSSL flavour)
Closes: 857613 859500
Changes:
curl (7.52.1-4) unstable; urgency=medium
.
* Fix regression in CONNECT response handling (Closes: #857613)
* Fix buffer read overrun on --write-out as per CVE-2017-7407
https://curl.haxx.se/docs/adv_20170403.html (Closes: #859500)
Checksums-Sha1:
306dac59909e53f353f44449818a552aa97cf076 2765 curl_7.52.1-4.dsc
0f27166a77187a3ecee227aa3566f3a45c3fd705 31092 curl_7.52.1-4.debian.tar.xz
f5019e6d04f2262f15088f853304832a24a53874 131916 curl-dbgsym_7.52.1-4_amd64.deb
36359f3e45f541a2c38d76212b188a9cc08d1c9d 10310 curl_7.52.1-4_amd64.buildinfo
d3394bc1a12e51cb6cde3a01800ae2538eff56e0 227062 curl_7.52.1-4_amd64.deb
56b75947908ce846798857707982faed602ce85c 5008122 libcurl3-dbg_7.52.1-4_amd64.deb
3d14af47272fce9e621cf9baee675817ef92fa2d 288824 libcurl3-gnutls_7.52.1-4_amd64.deb
e629d3dd097d6511db806bfce7a71402c06038c5 294210 libcurl3-nss_7.52.1-4_amd64.deb
e3fd259eab2b987135b94420df91703065be2357 290736 libcurl3_7.52.1-4_amd64.deb
af10eb75180ffccdb9f953d482944462a1a5c207 827290 libcurl4-doc_7.52.1-4_all.deb
6cbc1e6d502d917e119248512f5d8db5350df77b 371596 libcurl4-gnutls-dev_7.52.1-4_amd64.deb
ef49d75270ab46fc355e47ed8829a8d02176f9f1 377268 libcurl4-nss-dev_7.52.1-4_amd64.deb
1eac7789600b79818af1c7b9f0c71d5bf9b10375 373620 libcurl4-openssl-dev_7.52.1-4_amd64.deb
Checksums-Sha256:
8093fec132fc9688bc91901c1f8159dd0a70a831f0f29bbd43c17cc25f82c635 2765 curl_7.52.1-4.dsc
36ea9f70ac166ec30e5dcfdbc6496faeeec9921be9218fd5f9c2aed16620a612 31092 curl_7.52.1-4.debian.tar.xz
956f1e98849058ee2007c2e085700ca75fa3137aa287720606161c13651560ad 131916 curl-dbgsym_7.52.1-4_amd64.deb
12350ed87fe530c362dd7d69412d07a7ed915d7bc0446e591de6fdc467107bd2 10310 curl_7.52.1-4_amd64.buildinfo
0d4df0016ff5c1e72bedfafd62c4a7f969d3d79ee3a929576b1b0b130f2721fc 227062 curl_7.52.1-4_amd64.deb
828db2b4d279252326bcf6f2b9ac74c5322f5d531688b9c175f87e55629ae45e 5008122 libcurl3-dbg_7.52.1-4_amd64.deb
301bfb2cc251d1627750493162bb297681eaedbab83e5afbca63ab5372b05466 288824 libcurl3-gnutls_7.52.1-4_amd64.deb
91d05f03bb9fee69081f128a94f6382cdcf96035b48cae5847e9b59e7e8f6cd2 294210 libcurl3-nss_7.52.1-4_amd64.deb
4ea5bf1d7a611b95e8621bff2f2d546c26e5a97406244349d01410d49b947508 290736 libcurl3_7.52.1-4_amd64.deb
f36a9aad15fc9e352797c5741215cce0fbe79f72782f1beee9326ae7c8bcb87e 827290 libcurl4-doc_7.52.1-4_all.deb
0d119a038a047ce0ee18f0b41ee91d9c1adac15ead92cdac4bbdc9b9e9b1f5a5 371596 libcurl4-gnutls-dev_7.52.1-4_amd64.deb
add720ef38b1069d79ba5ed62daaac3e01660a33f7a9ead37e99938137b73633 377268 libcurl4-nss-dev_7.52.1-4_amd64.deb
368ef7a612bd1a228ea9f717ba821964ae566ffd0d793ff632e594f36a3eff46 373620 libcurl4-openssl-dev_7.52.1-4_amd64.deb
Files:
8f301e0d04f2f7bb571705d8a1b437fb 2765 web optional curl_7.52.1-4.dsc
a5ef7944f76f19c62570cd4a390228b3 31092 web optional curl_7.52.1-4.debian.tar.xz
883b688d937c1ef1d50e4e74dce376e5 131916 debug extra curl-dbgsym_7.52.1-4_amd64.deb
7f5bf44d7e4835fe973979c440498ca4 10310 web optional curl_7.52.1-4_amd64.buildinfo
c5d396f39a877e2467ab9b7b28909d0a 227062 web optional curl_7.52.1-4_amd64.deb
28c7049c02937908269c59d795ae97ac 5008122 debug extra libcurl3-dbg_7.52.1-4_amd64.deb
c1092d32ff987cb7c1103fb343957e6e 288824 libs optional libcurl3-gnutls_7.52.1-4_amd64.deb
e936a0bfee404974f1171a097d3acec5 294210 libs optional libcurl3-nss_7.52.1-4_amd64.deb
933b62d62b81bb0ed9a268c3b5dc1c49 290736 libs optional libcurl3_7.52.1-4_amd64.deb
62749c932c0ed454417fdb9691624804 827290 doc optional libcurl4-doc_7.52.1-4_all.deb
04171d61d343c469d70ce4c95c7390dd 371596 libdevel optional libcurl4-gnutls-dev_7.52.1-4_amd64.deb
a61c009b5ca4c85c76231a021b9940ca 377268 libdevel optional libcurl4-nss-dev_7.52.1-4_amd64.deb
673c76d2f6d083cfcade6ac30bb7eb93 373620 libdevel optional libcurl4-openssl-dev_7.52.1-4_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEBsId305pBx+F583DbwzL4CFiRygFAljpVYkACgkQbwzL4CFi
RyjihQ//a9nUG2LA0pkz1A8Z0YVO6yZ0hIc7YeyKNC3fhFojMo21tAN89TjQpgb5
5ALcaqoMXzndEpkWP1RZIJfNS+OLeS8zaEdwSyRWz16el9sW3wTvXDNjyVAeleYD
45XwRapnN8Br4TzmnH765dWee3PYDgtATjq7EWHdj2xv/7+yBwDibAAZ+GpVY3kG
09XAvo01FhdWQT6y0XQjNKPSGvVDd+VRIDrlWIaDgq31y80IW8jeJ3HJzibp3GPH
4M37rzu0joDpiC1dHHuWxD2/1YF1aNVyinouJra4QgU1zoFS8E2MEsuyWTJxSn8b
Ja5NLyunnXQThkenD3TCF08prix0DdMGNFn3eL2i8A5CgAjlRgS8mX6wZ9JD4aZD
cORvZdmfSD+I8QficnSE1Mv8AFBGfzUKhRDJ6aUChW6x2TLiIvawSHL3ttvbRDiU
s6/NU8iir4za9clutAQ0dcUAEHIv80iLSLokk/Fyyq7m4qbOoD0G0OpmVoZ0wjQE
+6Lnm3VB9KjLpD7CCG1kSS/QDrHLxqd8n2788STBwVd4a2P5ByWgqVEDRj0zuNYl
Re2o/0jeYB4IOwF5TIbnJOc/aMjCAPPdOUQhs7ehlcRCLI0N+80cPUNVDWcfi12t
/rL18j2jY3n/kjA3UpCSPIjq5LpXXzJlrC2UdnpSZ4UAI5Xdzww=
=IVOm
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 28 May 2017 07:24:38 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:30:33 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon