URL globbing out of bounds read ===============================
Project curl Security Advisory, August 9th 2017 - [Permalink](https://curl.haxx.se/docs/adv_20170809A.html) VULNERABILITY ------------- curl supports "globbing" of URLs, in which a user can pass a numerical range to have the tool iterate over those numbers to do a sequence of transfers. In the globbing function that parses the numerical range, there was an omission that made curl read a byte beyond the end of the URL if given a carefully crafted, or just wrongly written, URL. The URL is stored in a heap based buffer, so it could then be made to wrongly read something else instead of crashing. An example of a URL that triggers the flaw would be `http://ur%20[0-60000000000000000000`. We are not aware of any exploit of this flaw. INFO ---- This flaw only affects the curl command line tool, not the libcurl library. The bug was introduced in commit [5ca96cb84410270](https://github.com/curl/curl/commit/5ca96cb84410270), August 2013. curl 7.34.0. For version 7.55.0, the parser properly stops at the end of the string and a test has been added to verify this. The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2017-1000101 to this issue. AFFECTED VERSIONS ----------------- - Affected versions: curl 7.34.0 to and including 7.54.1 - Not affected versions: curl < 7.34.0 and >= 7.55.1 curl is used by many applications, but not always advertised as such. THE SOLUTION ------------ A [patch for CVE-2017-1000101](https://curl.haxx.se/CVE-2017-1000101.patch) is available. RECOMMENDATIONS --------------- We suggest you take one of the following actions immediately, in order of preference: A - Upgrade curl to version 7.55.0 B - Apply the patch to your version and rebuild TIME LINE --------- It was reported to the curl project on June 14, 2017. We contacted distros@openwall on August 1. curl 7.55.0 was released on August 9 2017, coordinated with the publication of this advisory. CREDITS ------- Reported by Brian Carpenter and Yongji Ouyang (independently of each other). Patch by Daniel Stenberg. Thanks a lot! -- / daniel.haxx.se ------------------------------------------------------------------- Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.html