ESB-2017.2525 - [Debian] curl: Multiple vulnerabilities 2017-10-09

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.2525
                           curl security update
                              9 October 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           curl
Publisher:         Debian
Operating System:  Debian GNU/Linux 8
                   Debian GNU/Linux 9
Impact/Access:     Denial of Service              -- Remote with User Interaction
                   Provide Misleading Information -- Remote with User Interaction
                   Access Confidential Data       -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-1000254 CVE-2017-1000101 CVE-2017-1000100

Reference:         ESB-2017.2343

Original Bulletin: 
   http://www.debian.org/security/2017/dsa-3992

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-3992-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
October 06, 2017                      https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : curl
CVE ID         : CVE-2017-1000100 CVE-2017-1000101 CVE-2017-1000254
Debian Bug     : 871554 871555 877671

Several vulnerabilities have been discovered in cURL, an URL transfer
library. The Common Vulnerabilities and Exposures project identifies the
following problems:

CVE-2017-1000100

    Even Rouault reported that cURL does not properly handle long file
    names when doing an TFTP upload. A malicious HTTP(S) server can take
    advantage of this flaw by redirecting a client using the cURL
    library to a crafted TFTP URL and trick it to send private memory
    contents to a remote server over UDP.

CVE-2017-1000101

    Brian Carpenter and Yongji Ouyang reported that cURL contains a flaw
    in the globbing function that parses the numerical range, leading to
    an out-of-bounds read when parsing a specially crafted URL.

CVE-2017-1000254

    Max Dymond reported that cURL contains an out-of-bounds read flaw in
    the FTP PWD response parser. A malicious server can take advantage
    of this flaw to effectively prevent a client using the cURL library
    to work with it, causing a denial of service.

For the oldstable distribution (jessie), these problems have been fixed
in version 7.38.0-4+deb8u6.

For the stable distribution (stretch), these problems have been fixed in
version 7.52.1-5+deb9u1.

We recommend that you upgrade your curl packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlnX6SFfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0RbAQ/9Gft7QL7XZ1eqos8uYgcysihp44zzwjlbpRs3RXIH7Z++HiGvz79Zpipw
fI48mLAeI9q3hLk/RuPFV4VDGwtbbMFF4+swlzQXCSg0aWKG4qdEaxP2cLMCJkb/
hv9d/jvcJIEwxiwcmkE8JQI1Fbwql7HoFzE86iWS5/2iU2KHtmhWMCa4V1cudu0o
4Sc7JfnD6wkyhb6KYqarHQXpp9qtfu84I5ununYKQ5WXHKWxYSRqAgIBPOui7kzk
TdLFYp+ZQw2cdI5T400fCyPOtpO76ngL9BjztiCHsUDK6SFOR3x0J8FII/NAPn6z
cct1k6iOaLTTCLp1FLqwml02SWSpyoytDRhBjyr4bQh/P2OYOoCsy2/Ns9vNnUFh
p3babYWQu+Hn2YIa3zu/yBdBrAslUgT7gjPX0vfr9zrY3PJwIvy2L2oe8pUB4bfu
ovqFIrgK18Vi9KRu51n/3CFnPNOtO6RAUG5hWxSMsUwv5g00rbRNJD7WhJx1v7Xy
WzyqthBTDOzMNtzr9fGQjR8GSn/FZw1qvTbfQmfNOzXYMmY0gMY/RWk8PJouISWG
DFERQD45+KQnir/eOjldQ0K+oVpb3poBsUXeEYkY76cRlD/XAAfGjJXrlYFi8uIS
vmmqbdbU18yX5Dbx9kx3GgQdju6ueN7H4JxQrQk4kd+DP8AhraI=
=MtOm
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWdrCeYx+lLeg9Ub1AQi6bw//VvOXfyEQY3UtKObSXvtl6GjrlfpWpFDf
Vxfq1UOjjDuq2q0fxtTIvRG4fAFOQ05tY9RdNc4A78n2tv5qxpdaC32AeBSlnA2p
s+K8py0QZ7pWPcuVZ9J9VIouQ2pbBul1KUvW/r7fnoIUSe2Q6dxrEtlDrv8g5rzL
lgSguN2UEq7KYO4E0ofteq1VyY4Sa/SBl9kvO1l2rCzKNFqXxnZZ6cBoSJNJcl1l
C8rV93AU7yHKuQtyg8klCnrg4glftabniBJR3YwyPb+m6VnZJzwpNz6FOqdf9gQl
EQABxKk29WR8cA7D5T4DlEuMyhj+YtoFOF1rR61zqwhhrs3YIluBLjRkf/4k52fo
FvRi1QQw4KcOXsmt4eUdKw9wRY8ZMlHwfZBS02lVcjaYxqCslVf7SaOBZSIE3ZHE
Av5bASPG5FwDP1wZXJ4uHc3jI45j+PusLscN4sP33KLZ9vTMSGOT6b54NJPKGea5
oEN1UF/no6VX3ZwlXiAnVGnEwUP1qv/z8DGYxUnWzaizfyXU7YKkkNUzh0ulEX1R
yH6ZSftQQJXKms5rPn8R2Gke6lselePEQiQWf01TJqWpuC9TSPItm4OIEUIZC8AF
29Hz8UPo4kqQT4Zbc0QbWKKypR/YC1gCf8xpzAGOl8ISlkYYIn2J10NbHSIF30Aa
xrqgbTGblis=
=GS70
-----END PGP SIGNATURE-----

« Back to bulletins