CVE-2017-1000100

Priority
Low
Description
When doing a TFTP transfer and curl/libcurl is given a URL that contains a
very long file name (longer than about 515 bytes), the file name is
truncated to fit within the buffer boundaries, but the buffer size is still
wrongly updated to use the untruncated length. This too large value is then
used in the sendto() call, making curl attempt to send more data than what
is actually put into the buffer. The endto() function will then read beyond
the end of the heap based buffer. A malicious HTTP(S) server could redirect
a vulnerable libcurl-using client to a crafted TFTP URL (if the client
hasn't restricted which protocols it allows redirects to) and trick it to
send private memory contents to a remote server over UDP. Limit curl's
redirect protocols with --proto-redir and libcurl's with
CURLOPT_REDIR_PROTOCOLS.
References
Bugs
Assigned-to
mdeslaur
Package
Source: curl (LP Ubuntu Debian)
Upstream:released (7.55.0)
Ubuntu 17.10 (Artful Aardvark):not-affected (7.55.1-1ubuntu1)
Ubuntu 12.04 ESM (Precise Pangolin):needed
Ubuntu 14.04 LTS (Trusty Tahr):released (7.35.0-1ubuntu2.11)
Ubuntu Core 15.04:needed
Ubuntu 16.04 LTS (Xenial Xerus):released (7.47.0-1ubuntu2.3)
Ubuntu 17.04 (Zesty Zapus):released (7.52.1-4ubuntu1.2)
Patches:
Upstream:https://curl.haxx.se/CVE-2017-1000100.patch
Upstream:https://github.com/curl/curl/commit/358b2b131ad6c095696f20dcfa62b8305263f898
More Information

Updated: 2017-10-10 16:14:17 UTC (commit 13484)