Debian Curl vulnerabilities

CVE-2018-1000120 [CRITICAL] CVE-2018-1000120: curl - A buffer overflow exists in curl 7.12.3 to and including curl 7.58.0 in the FTP ... A buffer overflow exists in curl 7.12.3 to and including curl 7.58.0 in the FTP URL handling that allows an attacker to cause a denial of service or worse. Scope: local bookworm: resolved (fixed in 7.60.0-1) bullseye: resolved (fixed in 7.60.0-1) forky: resolved (fixed in 7.60.0-1) sid: resolved (fixed in 7.60.0-1) trixie: resolved (fixed in 7.60.0-1)

CVE-2018-0500 [CRITICAL] CVE-2018-0500: curl - Curl_smtp_escape_eob in lib/smtp.c in curl 7.54.1 to and including curl 7.60.0 h... Curl_smtp_escape_eob in lib/smtp.c in curl 7.54.1 to and including curl 7.60.0 has a heap-based buffer overflow that might be exploitable by an attacker who can control the data that curl transmits over SMTP with certain settings (i.e., use of a nonstandard --limit-rate argument or CURLOPT_BUFFERSIZE value). Scope: local bookworm: resolved (fixed in 7.61.0-1) bullsey

CVE-2018-1000300 [CRITICAL] CVE-2018-1000300: curl - curl version curl 7.54.1 to and including curl 7.59.0 contains a CWE-122: Heap-b... curl version curl 7.54.1 to and including curl 7.59.0 contains a CWE-122: Heap-based Buffer Overflow vulnerability in denial of service and more that can result in curl might overflow a heap based memory buffer when closing down an FTP connection with very long server command replies.. This vulnerability appears to have been fixed in curl = 7.60.0. Scope: local

CVE-2018-1000007 [CRITICAL] CVE-2018-1000007: curl - libcurl 7.1 through 7.57.0 might accidentally leak authentication data to third ... libcurl 7.1 through 7.57.0 might accidentally leak authentication data to third parties. When asked to send custom headers in its HTTP requests, libcurl will send that set of headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP response code is returned, to the host mentioned in URL in the `Location:` response heade

CVE-2018-14618 [CRITICAL] CVE-2018-14618: curl - curl before version 7.61.1 is vulnerable to a buffer overrun in the NTLM authent... curl before version 7.61.1 is vulnerable to a buffer overrun in the NTLM authentication code. The internal function Curl_ntlm_core_mk_nt_hash multiplies the length of the password by two (SUM) to figure out how large temporary storage area to allocate from the heap. The length value is then subsequently used to iterate over the password and generate output into the

CVE-2018-16890 [HIGH] CVE-2018-16890: curl - libcurl versions from 7.36.0 to before 7.64.0 is vulnerable to a heap buffer out... libcurl versions from 7.36.0 to before 7.64.0 is vulnerable to a heap buffer out-of-bounds read. The function handling incoming NTLM type-2 messages (`lib/vauth/ntlm.c:ntlm_decode_type2_target`) does not validate incoming data correctly and is subject to an integer overflow vulnerability. Using that overflow, a malicious or broken NTLM server could trick libcurl to acc

CVE-2018-1000121 [HIGH] CVE-2018-1000121: curl - A NULL pointer dereference exists in curl 7.21.0 to and including curl 7.58.0 in... A NULL pointer dereference exists in curl 7.21.0 to and including curl 7.58.0 in the LDAP code that allows an attacker to cause a denial of service Scope: local bookworm: resolved (fixed in 7.60.0-1) bullseye: resolved (fixed in 7.60.0-1) forky: resolved (fixed in 7.60.0-1) sid: resolved (fixed in 7.60.0-1) trixie: resolved (fixed in 7.60.0-1)

CVE-2018-16842 [MEDIUM] CVE-2018-16842: curl - Curl versions 7.14.1 through 7.61.1 are vulnerable to a heap-based buffer over-r... Curl versions 7.14.1 through 7.61.1 are vulnerable to a heap-based buffer over-read in the tool_msgs.c:voutf() function that may result in information exposure and denial of service. Scope: local bookworm: resolved (fixed in 7.62.0-1) bullseye: resolved (fixed in 7.62.0-1) forky: resolved (fixed in 7.62.0-1) sid: resolved (fixed in 7.62.0-1) trixie: resolved (fixed i

CVE-2018-16839 [MEDIUM] CVE-2018-16839: curl - Curl versions 7.33.0 through 7.61.1 are vulnerable to a buffer overrun in the SA... Curl versions 7.33.0 through 7.61.1 are vulnerable to a buffer overrun in the SASL authentication code that may lead to denial of service. Scope: local bookworm: resolved (fixed in 7.62.0-1) bullseye: resolved (fixed in 7.62.0-1) forky: resolved (fixed in 7.62.0-1) sid: resolved (fixed in 7.62.0-1) trixie: resolved (fixed in 7.62.0-1)

CVE-2017-8816 [CRITICAL] CVE-2017-8816: curl - The NTLM authentication feature in curl and libcurl before 7.57.0 on 32-bit plat... The NTLM authentication feature in curl and libcurl before 7.57.0 on 32-bit platforms allows attackers to cause a denial of service (integer overflow and resultant buffer overflow, and application crash) or possibly have unspecified other impact via vectors involving long user and password fields. Scope: local bookworm: resolved (fixed in 7.57.0-1) bullseye: resolved

CVE-2017-8817 [CRITICAL] CVE-2017-8817: curl - The FTP wildcard function in curl and libcurl before 7.57.0 allows remote attack... The FTP wildcard function in curl and libcurl before 7.57.0 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) or possibly have unspecified other impact via a string that ends with an '[' character. Scope: local bookworm: resolved (fixed in 7.57.0-1) bullseye: resolved (fixed in 7.57.0-1) forky: resolved (fixed in 7.57.0-1

CVE-2017-8818 [CRITICAL] CVE-2017-8818: curl - curl and libcurl before 7.57.0 on 32-bit platforms allow attackers to cause a de... curl and libcurl before 7.57.0 on 32-bit platforms allow attackers to cause a denial of service (out-of-bounds access and application crash) or possibly have unspecified other impact because too little memory is allocated for interfacing to an SSL library. Scope: local bookworm: resolved (fixed in 7.57.0-1) bullseye: resolved (fixed in 7.57.0-1) forky: resolved (fixe

CVE-2017-1000257 [CRITICAL] CVE-2017-1000257: curl - An IMAP FETCH response line indicates the size of the returned data, in number o... An IMAP FETCH response line indicates the size of the returned data, in number of bytes. When that response says the data is zero bytes, libcurl would pass on that (non-existing) data with a pointer and the size (zero) to the deliver-data function. libcurl's deliver-data function treats zero as a magic number and invokes strlen() on the data to figure out the l

CVE-2017-1000254 [HIGH] CVE-2017-1000254: curl - libcurl may read outside of a heap allocated buffer when doing FTP. When libcurl... libcurl may read outside of a heap allocated buffer when doing FTP. When libcurl connects to an FTP server and successfully logs in (anonymous or not), it asks the server for the current directory with the `PWD` command. The server then responds with a 257 response containing the path, inside double quotes. The returned path name is then kept by libcurl for subsequ

CVE-2017-7468 [HIGH] CVE-2017-7468: curl - In curl and libcurl 7.52.0 to and including 7.53.1, libcurl would attempt to res... In curl and libcurl 7.52.0 to and including 7.53.1, libcurl would attempt to resume a TLS session even if the client certificate had changed. That is unacceptable since a server by specification is allowed to skip the client certificate check on resume, and may instead use the old identity which was established by the previous certificate (or no certificate). libcurl sup

CVE-2017-2629 [MEDIUM] CVE-2017-2629: curl - curl before 7.53.0 has an incorrect TLS Certificate Status Request extension fea... curl before 7.53.0 has an incorrect TLS Certificate Status Request extension feature that asks for a fresh proof of the server's certificate's validity in the code that checks for a test success or failure. It ends up always thinking there's valid proof, even when there is none or if the server doesn't support the TLS extension in question. This could lead to users not

CVE-2017-1000100 [MEDIUM] CVE-2017-1000100: curl - When doing a TFTP transfer and curl/libcurl is given a URL that contains a very ... When doing a TFTP transfer and curl/libcurl is given a URL that contains a very long file name (longer than about 515 bytes), the file name is truncated to fit within the buffer boundaries, but the buffer size is still wrongly updated to use the untruncated length. This too large value is then used in the sendto() call, making curl attempt to send more data than

CVE-2017-1000101 [MEDIUM] CVE-2017-1000101: curl - curl supports "globbing" of URLs, in which a user can pass a numerical range to ... curl supports "globbing" of URLs, in which a user can pass a numerical range to have the tool iterate over those numbers to do a sequence of transfers. In the globbing function that parses the numerical range, there was an omission that made curl read a byte beyond the end of the URL if given a carefully crafted, or just wrongly written, URL. The URL is stored in

CVE-2017-2628 [MEDIUM] CVE-2017-2628: curl - curl, as shipped in Red Hat Enterprise Linux 6 before version 7.19.7-53, did not... curl, as shipped in Red Hat Enterprise Linux 6 before version 7.19.7-53, did not correctly backport the fix for CVE-2015-3148 because it did not reflect the fact that the HAVE_GSSAPI define was meanwhile substituted by USE_HTTP_NEGOTIATE. This issue was introduced in RHEL 6.7 and affects RHEL 6 curl only. Scope: local bookworm: resolved bullseye: resolved forky: resolv

CVE-2017-9502 [MEDIUM] CVE-2017-9502: curl - In curl before 7.54.1 on Windows and DOS, libcurl's default protocol function, w... In curl before 7.54.1 on Windows and DOS, libcurl's default protocol function, which is the logic that allows an application to set which protocol libcurl should attempt to use when given a URL without a scheme part, had a flaw that could lead to it overwriting a heap based memory buffer with seven bytes. If the default protocol is specified to be FILE or a file: URL l