Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 615870 (CVE-2017-7407) - <net-misc/curl-7.54.0: --write-out out of buffer read (CVE-2017-7407)
Summary: <net-misc/curl-7.54.0: --write-out out of buffer read (CVE-2017-7407)
Status: RESOLVED FIXED
Alias: CVE-2017-7407
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: A3 [glsa cve]
Keywords:
Depends on: CVE-2017-1000099, CVE-2017-1000100, CVE-2017-1000101
Blocks:
  Show dependency tree
 
Reported: 2017-04-17 16:49 UTC by Agostino Sarubbo
Modified: 2017-09-17 21:18 UTC (History)
1 user (show)

See Also:
Package list:
net-misc/curl-7.54.1
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2017-04-17 16:49:52 UTC
From ${URL} :

Project curl Security Advisory, April 3, 2017 -
[Permalink](https://curl.haxx.se/docs/adv_20170403.html)

VULNERABILITY
-------------

There were two bugs in curl's parser for the command line option `--write-out`
(or `-w` for short) that would skip the end of string zero byte if the string
ended in a `%` (percent) or `\` (backslash), and it would read beyond that
buffer in the heap memory and it could then potentially output pieces of that
memory to the terminal or the target file etc.

The curl security team did not report this as a security vulnerability due to
the minimal risk: the memory this would output comes from the process the user
itself invokes and that runs with the same privileges as the user. We could
not come up with a likely scenario where this could leak other users' data or
memory contents.

An external party registered this as a [CVE with
mitre.org](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7407) and
we feel a responsibility to clarify what this flaw is about. The CVE-2017-7407
issue is specifically only about the `%` part of this flaw.

This flaw only exists in the command line tool.

We are not aware of any exploit of this flaw.

INFO
----

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2017-7407 to this issue.

AFFECTED VERSIONS
-----------------

curl has supported this option since version 6.5 (released March 13, 2000).

This flaw exists in the following curl versions.

- Affected versions: 6.5 to and including 7.53.1
- Not affected versions: < 6.5 and >= 7.54.0

THE SOLUTION
------------

In version 7.54.0, the end of the buffer is properly acknowledged and we have
added tests that verify this functionality.

The curl project has (as of this writing) not yet released a version with this
problem fixed. It is however already fixed in curl's git repository, commits
[1890d59905414ab](https://github.com/curl/curl/commit/1890d59905414ab84a) and
[8e65877870c1](https://github.com/curl/curl/commit/8e65877870c1). The fix is
also available as a [stand-alone
patch](https://curl.haxx.se/CVE-2017-7407.patch).

RECOMMENDATIONS
---------------

We suggest you take one of the following actions immediately, in order of
preference:

  A - Upgrade curl and libcurl to version 7.54.0

  B - Apply the patch to your version and rebuild

  C - Do not use the `--write-out` feature with unchecked input

TIME LINE
---------

It was first reported to the curl project on March 10. The Mitre CVE
registration was [brought to our
attention](https://github.com/curl/curl/commit/1890d59905414ab84a35892b2e45833654aa5c13#commitc
omment-21618166) on April 4, 2017. The first commit to fix this was made
public on March 11.

curl 7.54.0 is to be released on April 19 2017

CREDITS
-------

Reported to the curl project by Brian Carpenter


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2017-06-04 19:01:17 UTC
Fixed in v7.54.0 which is already in the repository.

@ Maintainer(s): Can we start stabilization of =net-misc/curl-7.54.0? Maybe we can do bug 618356 before?
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2017-06-17 21:29:20 UTC
@ Arches,

please test and mark stable: =net-misc/curl-7.54.1
Comment 3 Agostino Sarubbo gentoo-dev 2017-06-18 14:02:07 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2017-06-20 07:02:11 UTC
x86 stable
Comment 5 Tobias Klausmann (RETIRED) gentoo-dev 2017-06-20 15:00:44 UTC
Stable on alpha.
Comment 6 Agostino Sarubbo gentoo-dev 2017-06-21 11:58:34 UTC
ppc stable
Comment 7 Agostino Sarubbo gentoo-dev 2017-06-21 12:17:55 UTC
ppc64 stable
Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev 2017-06-24 21:49:42 UTC
ia64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2017-07-07 09:08:12 UTC
sparc stable
Comment 10 Markus Meier gentoo-dev 2017-08-08 20:39:02 UTC
arm stable
Comment 11 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-08-16 14:48:48 UTC
Arches, please finish stabilizing hppa

Gentoo Security Padawan
ChrisADR
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2017-09-17 21:18:35 UTC
This issue was resolved and addressed in
 GLSA 201709-14 at https://security.gentoo.org/glsa/201709-14
by GLSA coordinator Aaron Bauman (b-man).