[3.6] curl: write-out out of buffer read (CVE-2017-7407)
There were two bugs in curl’s parser for the command line option
—write-out (or -w for short) that would skip the end of string zero
byte
if the string ended in a % (percent) or \ (backslash), and it would
read beyond that buffer in the heap memory and it could then
potentially
output pieces of that memory to the terminal or the target file etc.
Affected versions:
6.5 to and including 7.53.1
Not affected versions:
< 6.5 and >= 7.54.0
References:
https://curl.haxx.se/docs/security.html
Patch:
https://curl.haxx.se/CVE-2017-7407.patch
(from redmine: issue id 7133, created on 2017-04-13, closed on 2017-04-25)
- Relations:
- parent #7132 (closed)
- Changesets:
- Revision 0f35f852 by Sergei Lukin on 2017-04-14T14:12:39Z:
main/curl: security fixes #7133
CVE-2017-7407: write-out out of buffer read