Debian Curl vulnerabilities

CVE-2017-1000099 [MEDIUM] CVE-2017-1000099: curl - When asking to get a file from a file:// URL, libcurl provides a feature that ou... When asking to get a file from a file:// URL, libcurl provides a feature that outputs meta-data about the file using HTTP-like headers. The code doing this would send the wrong buffer to the user (stdout or the application's provide callback), which could lead to other private data from the heap to get inadvertently displayed. The wrong buffer was an uninitialize

CVE-2017-7407 [LOW] CVE-2017-7407: curl - The ourWriteOut function in tool_writeout.c in curl 7.53.1 might allow physicall... The ourWriteOut function in tool_writeout.c in curl 7.53.1 might allow physically proximate attackers to obtain sensitive information from process memory in opportunistic circumstances by reading a workstation screen during use of a --write-out argument ending in a '%' character, which leads to a heap-based buffer over-read. Scope: local bookworm: resolved (fixed in 7.52.

CVE-2016-7167 [CRITICAL] CVE-2016-7167: curl - Multiple integer overflows in the (1) curl_escape, (2) curl_easy_escape, (3) cur... Multiple integer overflows in the (1) curl_escape, (2) curl_easy_escape, (3) curl_unescape, and (4) curl_easy_unescape functions in libcurl before 7.50.3 allow attackers to have unspecified impact via a string of length 0xffffffff, which triggers a heap-based buffer overflow. Scope: local bookworm: resolved (fixed in 7.51.0-1) bullseye: resolved (fixed in 7.51.0-1) f

CVE-2016-5421 [HIGH] CVE-2016-5421: curl - Use-after-free vulnerability in libcurl before 7.50.1 allows attackers to contro... Use-after-free vulnerability in libcurl before 7.50.1 allows attackers to control which connection is used or possibly have unspecified other impact via unknown vectors. Scope: local bookworm: resolved (fixed in 7.50.1-1) bullseye: resolved (fixed in 7.50.1-1) forky: resolved (fixed in 7.50.1-1) sid: resolved (fixed in 7.50.1-1) trixie: resolved (fixed in 7.50.1-1)

CVE-2016-7141 [HIGH] CVE-2016-7141: curl - curl and libcurl before 7.50.2, when built with NSS and the libnsspem.so library... curl and libcurl before 7.50.2, when built with NSS and the libnsspem.so library is available at runtime, allow remote attackers to hijack the authentication of a TLS connection by leveraging reuse of a previously loaded client certificate from file for a connection for which no certificate has been set, a different vulnerability than CVE-2016-5420. Scope: local bookworm

CVE-2016-5419 [HIGH] CVE-2016-5419: curl - curl and libcurl before 7.50.1 do not prevent TLS session resumption when the cl... curl and libcurl before 7.50.1 do not prevent TLS session resumption when the client certificate has changed, which allows remote attackers to bypass intended restrictions by resuming a session. Scope: local bookworm: resolved (fixed in 7.50.1-1) bullseye: resolved (fixed in 7.50.1-1) forky: resolved (fixed in 7.50.1-1) sid: resolved (fixed in 7.50.1-1) trixie: resolved

CVE-2016-5420 [HIGH] CVE-2016-5420: curl - curl and libcurl before 7.50.1 do not check the client certificate when choosing... curl and libcurl before 7.50.1 do not check the client certificate when choosing the TLS connection to reuse, which might allow remote attackers to hijack the authentication of the connection by leveraging a previously created connection with a different client certificate. Scope: local bookworm: resolved (fixed in 7.50.1-1) bullseye: resolved (fixed in 7.50.1-1) forky:

CVE-2016-8620 [MEDIUM] CVE-2016-8620: curl - The 'globbing' feature in curl before version 7.51.0 has a flaw that leads to in... The 'globbing' feature in curl before version 7.51.0 has a flaw that leads to integer overflow and out-of-bounds read via user controlled input. Scope: local bookworm: resolved (fixed in 7.51.0-1) bullseye: resolved (fixed in 7.51.0-1) forky: resolved (fixed in 7.51.0-1) sid: resolved (fixed in 7.51.0-1) trixie: resolved (fixed in 7.51.0-1)

CVE-2016-9586 [MEDIUM] CVE-2016-9586: curl - curl before version 7.52.0 is vulnerable to a buffer overflow when doing a large... curl before version 7.52.0 is vulnerable to a buffer overflow when doing a large floating point output in libcurl's implementation of the printf() functions. If there are any application that accepts a format string from the outside without necessary input filtering, it could allow remote attacks. Scope: local bookworm: resolved (fixed in 7.52.1-1) bullseye: resolved (

CVE-2016-8618 [MEDIUM] CVE-2016-8618: curl - The libcurl API function called `curl_maprintf()` before version 7.51.0 can be t... The libcurl API function called `curl_maprintf()` before version 7.51.0 can be tricked into doing a double-free due to an unsafe `size_t` multiplication, on systems using 32 bit `size_t` variables. Scope: local bookworm: resolved (fixed in 7.51.0-1) bullseye: resolved (fixed in 7.51.0-1) forky: resolved (fixed in 7.51.0-1) sid: resolved (fixed in 7.51.0-1) trixie: reso

CVE-2016-8625 [MEDIUM] CVE-2016-8625: curl - curl before version 7.51.0 uses outdated IDNA 2003 standard to handle Internatio... curl before version 7.51.0 uses outdated IDNA 2003 standard to handle International Domain Names and this may lead users to potentially and unknowingly issue network transfer requests to the wrong host. Scope: local bookworm: resolved (fixed in 7.51.0-1) bullseye: resolved (fixed in 7.51.0-1) forky: resolved (fixed in 7.51.0-1) sid: resolved (fixed in 7.51.0-1) trixie:

CVE-2016-8624 [MEDIUM] CVE-2016-8624: curl - curl before version 7.51.0 doesn't parse the authority component of the URL corr... curl before version 7.51.0 doesn't parse the authority component of the URL correctly when the host name part ends with a '#' character, and could instead be tricked into connecting to a different host. This may have security implications if you for example use an URL parser that follows the RFC to check for allowed domains before using curl to request them. Scope: loc

CVE-2016-0755 [MEDIUM] CVE-2016-0755: curl - The ConnectionExists function in lib/url.c in libcurl before 7.47.0 does not pro... The ConnectionExists function in lib/url.c in libcurl before 7.47.0 does not properly re-use NTLM-authenticated proxy connections, which might allow remote attackers to authenticate as other users via a request, a similar issue to CVE-2014-0015. Scope: local bookworm: resolved (fixed in 7.47.0-1) bullseye: resolved (fixed in 7.47.0-1) forky: resolved (fixed in 7.47.0-1

CVE-2016-8615 [MEDIUM] CVE-2016-8615: curl - A flaw was found in curl before version 7.51. If cookie state is written into a ... A flaw was found in curl before version 7.51. If cookie state is written into a cookie jar file that is later read back and used for subsequent requests, a malicious HTTP server can inject new cookies for arbitrary domains into said cookie jar. Scope: local bookworm: resolved (fixed in 7.51.0-1) bullseye: resolved (fixed in 7.51.0-1) forky: resolved (fixed in 7.51.0-1)

CVE-2016-8619 [MEDIUM] CVE-2016-8619: curl - The function `read_data()` in security.c in curl before version 7.51.0 is vulner... The function `read_data()` in security.c in curl before version 7.51.0 is vulnerable to memory double free. Scope: local bookworm: resolved (fixed in 7.51.0-1) bullseye: resolved (fixed in 7.51.0-1) forky: resolved (fixed in 7.51.0-1) sid: resolved (fixed in 7.51.0-1) trixie: resolved (fixed in 7.51.0-1)

CVE-2016-8621 [MEDIUM] CVE-2016-8621: curl - The `curl_getdate` function in curl before version 7.51.0 is vulnerable to an ou... The `curl_getdate` function in curl before version 7.51.0 is vulnerable to an out of bounds read if it receives an input with one digit short. Scope: local bookworm: resolved (fixed in 7.51.0-1) bullseye: resolved (fixed in 7.51.0-1) forky: resolved (fixed in 7.51.0-1) sid: resolved (fixed in 7.51.0-1) trixie: resolved (fixed in 7.51.0-1)

CVE-2016-4802 [HIGH] CVE-2016-4802: curl - Multiple untrusted search path vulnerabilities in cURL and libcurl before 7.49.1... Multiple untrusted search path vulnerabilities in cURL and libcurl before 7.49.1, when built with SSPI or telnet is enabled, allow local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse (1) security.dll, (2) secur32.dll, or (3) ws2_32.dll in the application or current working directory. Scope: local bookworm: resolved bullseye: resolve

CVE-2016-8617 [LOW] CVE-2016-8617: curl - The base64 encode function in curl before version 7.51.0 is prone to a buffer be... The base64 encode function in curl before version 7.51.0 is prone to a buffer being under allocated in 32bit systems if it receives at least 1Gb as input via `CURLOPT_USERNAME`. Scope: local bookworm: resolved (fixed in 7.51.0-1) bullseye: resolved (fixed in 7.51.0-1) forky: resolved (fixed in 7.51.0-1) sid: resolved (fixed in 7.51.0-1) trixie: resolved (fixed in 7.51.0-1

CVE-2016-9594 [MEDIUM] CVE-2016-9594: curl - curl before version 7.52.1 is vulnerable to an uninitialized random in libcurl's... curl before version 7.52.1 is vulnerable to an uninitialized random in libcurl's internal function that returns a good 32bit random value. Having a weak or virtually non-existent random value makes the operations that use it vulnerable. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: resolved

CVE-2016-9953 [CRITICAL] CVE-2016-9953: curl - The verify_certificate function in lib/vtls/schannel.c in libcurl 7.30.0 through... The verify_certificate function in lib/vtls/schannel.c in libcurl 7.30.0 through 7.51.0, when built for Windows CE using the schannel TLS backend, allows remote attackers to obtain sensitive information, cause a denial of service (crash), or possibly have unspecified other impact via a wildcard certificate name, which triggers an out-of-bounds read. Scope: local book