CVE-2017-1000254

Priority
Medium
Description
libcurl may read outside of a heap allocated buffer when doing FTP. When
libcurl connects to an FTP server and successfully logs in (anonymous or
not), it asks the server for the current directory with the `PWD` command.
The server then responds with a 257 response containing the path, inside
double quotes. The returned path name is then kept by libcurl for
subsequent uses. Due to a flaw in the string parser for this directory
name, a directory name passed like this but without a closing double quote
would lead to libcurl not adding a trailing NUL byte to the buffer holding
the name. When libcurl would then later access the string, it could read
beyond the allocated heap buffer and crash or wrongly access data beyond
the buffer, thinking it was part of the path. A malicious server could
abuse this fact and effectively prevent libcurl-based clients to work with
it - the PWD command is always issued on new FTP connections and the
mistake has a high chance of causing a segfault. The simple fact that this
has issue remained undiscovered for this long could suggest that malformed
PWD responses are rare in benign servers. We are not aware of any exploit
of this flaw. This bug was introduced in commit
[415d2e7cb7](https://github.com/curl/curl/commit/415d2e7cb7), March 2005.
In libcurl version 7.56.0, the parser always zero terminates the string but
also rejects it if not terminated properly with a final double quote.
References
Bugs
Assigned-to
mdeslaur
Package
Source: curl (LP Ubuntu Debian)
Upstream:released (7.56.0)
Ubuntu 17.10 (Artful Aardvark):released (7.55.1-1ubuntu2)
Ubuntu 12.04 ESM (Precise Pangolin):needed
Ubuntu 14.04 LTS (Trusty Tahr):released (7.35.0-1ubuntu2.11)
Ubuntu Core 15.04:needed
Ubuntu 16.04 LTS (Xenial Xerus):released (7.47.0-1ubuntu2.3)
Ubuntu 17.04 (Zesty Zapus):released (7.52.1-4ubuntu1.2)
Patches:
Upstream:https://curl.haxx.se/CVE-2017-1000254.patch
Upstream:https://github.com/curl/curl/commit/5ff2c5ff25750aba1a8f64fbcad8e5b891512584
More Information

Updated: 2017-10-12 04:14:20 UTC (commit 13499)