SB2017120748 - Out-of-bounds read in curl (Alpine package)
Published: December 7, 2017
Security Bulletin ID
SB2017120748
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Out-of-bounds read (CVE-ID: CVE-2017-8817)
The vulnerability allows a remote attacker to redirect the target client to an arbitrary site.
The vulnerability exists due to out-of-bounds read in the FTP wildcard function (CURLOPT_WILDCARDMATCH). A remote unauthenticated attacker can use a string that ends with an '[' character, trigger out-of-bounds read and cause the target connected libcurl client to be redirected.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=06d873c35d45649783f1d3393b35034356679424
- https://git.alpinelinux.org/aports/commit/?id=c06e486361bfb260c36b661c47d03ff912df9539
- https://git.alpinelinux.org/aports/commit/?id=8cd99339489d34b85f1c9f7196bc0a73cda7bde0
- https://git.alpinelinux.org/aports/commit/?id=ae95dcd40f4dd84b6c6cc8c7b1f7dccc38bc103e
- https://git.alpinelinux.org/aports/commit/?id=be39a8b5346d43f34446441548dc6edd585cb297