CVE-2017-1000100
published 2017-10-05CVE-2017-1000100: When doing a TFTP transfer and curl/libcurl is given a URL that contains a very long file name (longer than about 515 bytes), the file name is truncated to fit…
PriorityP335medium6.5CVSS 3.1
AVNACLPRNUIRSUCHINAN
EPSS
3.96%
89.1th percentile
When doing a TFTP transfer and curl/libcurl is given a URL that contains a very long file name (longer than about 515 bytes), the file name is truncated to fit within the buffer boundaries, but the buffer size is still wrongly updated to use the untruncated length. This too large value is then used in the sendto() call, making curl attempt to send more data than what is actually put into the buffer. The endto() function will then read beyond the end of the heap based buffer. A malicious HTTP(S) server could redirect a vulnerable libcurl-using client to a crafted TFTP URL (if the client hasn't restricted which protocols it allows redirects to) and trick it to send private memory contents to a remote server over UDP. Limit curl's redirect protocols with --proto-redir and libcurl's with CURLOPT_REDIR_PROTOCOLS.
Affected
87 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | macos_high_sierra_10.13.1_security_update_2017-001_sierra_and_security_update_20 | — | — |
| debian | curl | < curl 7.55.0-1 (bookworm) | curl 7.55.0-1 (bookworm) |
| haxx | curl | >= 0 < 7.55.0-1 | 7.55.0-1 |
| haxx | curl | >= 0 < 7.55.0-1 | 7.55.0-1 |
| haxx | curl | >= 0 < 7.55.0-1 | 7.55.0-1 |
| haxx | curl | >= 0 < 7.55.0-1 | 7.55.0-1 |
| haxx | curl | >= 0 < 7.35.0-1ubuntu2.11 | 7.35.0-1ubuntu2.11 |
| haxx | curl | >= 0 < 7.47.0-1ubuntu2.3 | 7.47.0-1ubuntu2.3 |
| haxx | libcurl | — | — |
| haxx | libcurl | — | — |
| haxx | libcurl | — | — |
| haxx | libcurl | — | — |
| haxx | libcurl | — | — |
| haxx | libcurl | — | — |
| haxx | libcurl | — | — |
| haxx | libcurl | — | — |
| haxx | libcurl | — | — |
| haxx | libcurl | — | — |
| haxx | libcurl | — | — |
| haxx | libcurl | — | — |
| haxx | libcurl | — | — |
| haxx | libcurl | — | — |
| haxx | libcurl | — | — |
| haxx | libcurl | — | — |
| haxx | libcurl | — | — |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
nvdv3.06.5MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:P/I:N/A:N
osv8.1HIGH
vendor_debian6.5MEDIUM
vendor_redhat6.5MEDIUM
vendor_ubuntu5.9MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Apple
CVE-2017-1000100: macOS High Sierra 10.13.1, Security Update 2017-001 Sierra, and Security Update 2017-004 El Capitan
vendor_apple·2017-10-31·CVSS 6.5
CVE-2017-1000100 [MEDIUM] CVE-2017-1000100: macOS High Sierra 10.13.1, Security Update 2017-001 Sierra, and Security Update 2017-004 El Capitan
Apple Security Update: About the security content of macOS High Sierra 10.13.1, Security Update 2017-001 Sierra, and Security Update 2017-004 El Capitan
Product: macOS High Sierra 10.13.1, Security Update 2017-001 Sierra, and Security Update 2017-004 El Capitan
CVE: CVE-2017-1000100
Component: CoreText
Impact: Processing a maliciously crafted font file may lead to arbitrary code execution
Description: A memory consumption issue was addressed with improved memory handling.
Ubuntu
curl vulnerabilities
vendor_ubuntu·2017-10-23·CVSS 5.9
CVE-2016-9586 [MEDIUM] curl vulnerabilities
Title: curl vulnerabilities
Summary: Several security issues were fixed in curl.
USN-3441-1 fixed several vulnerabilities in curl. This update
provides the corresponding update for Ubuntu 12.04 ESM.
Original advisory details:
Daniel Stenberg discovered that curl incorrectly handled large floating
point output. A remote attacker could use this issue to cause curl to
crash, resulting in a denial of service, or possibly execute arbitrary
code. (CVE-2016-9586)
Even Rouault discovered that curl incorrectly handled large file names when
doing TFTP transfers. A remote attacker could use this issue to cause curl
to crash, resulting in a denial of service, or possibly obtain sensitive
memory contents. (CVE-2017-1000100)
Brian Carpenter and Yongji Ouyang discovered that curl incorrectly handle
Ubuntu
curl vulnerabilities
vendor_ubuntu·2017-10-10·CVSS 5.9
CVE-2016-9586 [MEDIUM] curl vulnerabilities
Title: curl vulnerabilities
Summary: Several security issues were fixed in curl.
Daniel Stenberg discovered that curl incorrectly handled large floating
point output. A remote attacker could use this issue to cause curl to
crash, resulting in a denial of service, or possibly execute arbitrary
code. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS.
(CVE-2016-9586)
Even Rouault discovered that curl incorrectly handled large file names when
doing TFTP transfers. A remote attacker could use this issue to cause curl
to crash, resulting in a denial of service, or possibly obtain sensitive
memory contents. (CVE-2017-1000100)
Brian Carpenter and Yongji Ouyang discovered that curl incorrectly handled
numerical range globbing. A remote attacker could use this issue to cause
curl to
Red Hat
curl: TFTP sends more than buffer size
vendor_redhat·2017-08-09·CVSS 6.5
CVE-2017-1000100 [MEDIUM] CWE-125 curl: TFTP sends more than buffer size
curl: TFTP sends more than buffer size
When doing a TFTP transfer and curl/libcurl is given a URL that contains a very long file name (longer than about 515 bytes), the file name is truncated to fit within the buffer boundaries, but the buffer size is still wrongly updated to use the untruncated length. This too large value is then used in the sendto() call, making curl attempt to send more data than what is actually put into the buffer. The endto() function will then read beyond the end of the heap based buffer. A malicious HTTP(S) server could redirect a vulnerable libcurl-using client to a crafted TFTP URL (if the client hasn't restricted which protocols it allows redirects to) and trick it to send private memory contents to a remote server over UDP. Limit curl's redirect protocols wit
Debian
CVE-2017-1000100: curl - When doing a TFTP transfer and curl/libcurl is given a URL that contains a very ...
vendor_debian·2017·CVSS 6.5
CVE-2017-1000100 [MEDIUM] CVE-2017-1000100: curl - When doing a TFTP transfer and curl/libcurl is given a URL that contains a very ...
When doing a TFTP transfer and curl/libcurl is given a URL that contains a very long file name (longer than about 515 bytes), the file name is truncated to fit within the buffer boundaries, but the buffer size is still wrongly updated to use the untruncated length. This too large value is then used in the sendto() call, making curl attempt to send more data than what is actually put into the buffer. The endto() function will then read beyond the end of the heap based buffer. A malicious HTTP(S) server could redirect a vulnerable libcurl-using client to a crafted TFTP URL (if the client hasn't restricted which protocols it allows redirects to) and trick it to send private memory contents to a remote server over UDP. Limit curl's redirect protocols with --proto-redir and libcurl's with CURLO
GHSA
GHSA-86r8-52rx-6jcr: When doing a TFTP transfer and curl/libcurl is given a URL that contains a very long file name (longer than about 515 bytes), the file name is truncat
ghsa_unreviewed·2022-05-14
CVE-2017-1000100 [MEDIUM] CWE-200 GHSA-86r8-52rx-6jcr: When doing a TFTP transfer and curl/libcurl is given a URL that contains a very long file name (longer than about 515 bytes), the file name is truncat
When doing a TFTP transfer and curl/libcurl is given a URL that contains a very long file name (longer than about 515 bytes), the file name is truncated to fit within the buffer boundaries, but the buffer size is still wrongly updated to use the untruncated length. This too large value is then used in the sendto() call, making curl attempt to send more data than what is actually put into the buffer. The endto() function will then read beyond the end of the heap based buffer. A malicious HTTP(S) server could redirect a vulnerable libcurl-using client to a crafted TFTP URL (if the client hasn't restricted which protocols it allows redirects to) and trick it to send private memory contents to a remote server over UDP. Limit curl's redirect protocols with --proto-redir and libcurl's with CURLO
OSV
curl vulnerabilities
osv·2017-10-10·CVSS 8.1
CVE-2016-9586 [HIGH] curl vulnerabilities
curl vulnerabilities
Daniel Stenberg discovered that curl incorrectly handled large floating
point output. A remote attacker could use this issue to cause curl to
crash, resulting in a denial of service, or possibly execute arbitrary
code. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS.
(CVE-2016-9586)
Even Rouault discovered that curl incorrectly handled large file names when
doing TFTP transfers. A remote attacker could use this issue to cause curl
to crash, resulting in a denial of service, or possibly obtain sensitive
memory contents. (CVE-2017-1000100)
Brian Carpenter and Yongji Ouyang discovered that curl incorrectly handled
numerical range globbing. A remote attacker could use this issue to cause
curl to crash, resulting in a denial of service, or possibly obtain
OSV
CVE-2017-1000100: When doing a TFTP transfer and curl/libcurl is given a URL that contains a very long file name (longer than about 515 bytes), the file name is truncat
osv·2017-10-05·CVSS 6.5
CVE-2017-1000100 [MEDIUM] CVE-2017-1000100: When doing a TFTP transfer and curl/libcurl is given a URL that contains a very long file name (longer than about 515 bytes), the file name is truncat
When doing a TFTP transfer and curl/libcurl is given a URL that contains a very long file name (longer than about 515 bytes), the file name is truncated to fit within the buffer boundaries, but the buffer size is still wrongly updated to use the untruncated length. This too large value is then used in the sendto() call, making curl attempt to send more data than what is actually put into the buffer. The endto() function will then read beyond the end of the heap based buffer. A malicious HTTP(S) server could redirect a vulnerable libcurl-using client to a crafted TFTP URL (if the client hasn't restricted which protocols it allows redirects to) and trick it to send private memory contents to a remote server over UDP. Limit curl's redirect protocols with --proto-redir and libcurl's with CURLO
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2017-1000100 CVE-2017-1000101 mingw-curl: various flaws [epel-7]
bugzilla·2017-08-09·CVSS 6.5
CVE-2017-1000100 [MEDIUM] CVE-2017-1000100 CVE-2017-1000101 mingw-curl: various flaws [epel-7]
CVE-2017-1000100 CVE-2017-1000101 mingw-curl: various flaws [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-7.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Use the following template to for the 'fedpkg update
Bugzilla
CVE-2017-1000099 CVE-2017-1000100 CVE-2017-1000101 curl: various flaws [fedora-all]
bugzilla·2017-08-09·CVSS 6.5
CVE-2017-1000099 [MEDIUM] CVE-2017-1000099 CVE-2017-1000100 CVE-2017-1000101 curl: various flaws [fedora-all]
CVE-2017-1000099 CVE-2017-1000100 CVE-2017-1000101 curl: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported ve
Bugzilla
CVE-2017-1000099 CVE-2017-1000100 CVE-2017-1000101 mingw-curl: various flaws [fedora-all]
bugzilla·2017-08-09·CVSS 6.5
CVE-2017-1000099 [MEDIUM] CVE-2017-1000099 CVE-2017-1000100 CVE-2017-1000101 mingw-curl: various flaws [fedora-all]
CVE-2017-1000099 CVE-2017-1000100 CVE-2017-1000101 mingw-curl: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple suppor
Bugzilla
CVE-2017-1000100 curl: TFTP sends more than buffer size
bugzilla·2017-08-04·CVSS 6.5
CVE-2017-1000100 [MEDIUM] CVE-2017-1000100 curl: TFTP sends more than buffer size
CVE-2017-1000100 curl: TFTP sends more than buffer size
When doing an TFTP upload and curl/libcurl is given a URL that contains a very
long file name (longer than about 515 bytes), the file name is truncated to
fit within the buffer boundaries, but the buffer size is still wrongly updated
to use the untruncated length. This too large value is then used in the
`send()` call, making curl attempt to send more data than what is actually put
into the buffer. The `send()` function will then read beyond the end of the
heap based buffer.
Affected versions: libcurl 7.15.0 to and including 7.54.1
Discussion:
Acknowledgments:
Name: the Curl project
Upstream: Even Rouault
---
Created attachment 1308973
Upstream patch
---
Statement:
Red Hat Product Security has rated this issue as having Low
http://www.debian.org/security/2017/dsa-3992http://www.securityfocus.com/bid/100286http://www.securitytracker.com/id/1039118https://access.redhat.com/errata/RHSA-2018:3558https://curl.haxx.se/docs/adv_20170809B.htmlhttps://security.gentoo.org/glsa/201709-14https://support.apple.com/HT208221http://www.debian.org/security/2017/dsa-3992http://www.securityfocus.com/bid/100286http://www.securitytracker.com/id/1039118https://access.redhat.com/errata/RHSA-2018:3558https://curl.haxx.se/docs/adv_20170809B.htmlhttps://security.gentoo.org/glsa/201709-14https://support.apple.com/HT208221
2017-10-05
Published