CVE-2017-1000254

See a problem?
Source
https://nvd.nist.gov/vuln/detail/CVE-2017-1000254
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-1000254.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2017-1000254
Aliases
Related
Published
2017-10-06T13:29:00Z
Modified
2024-09-18T02:54:19.172834Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

libcurl may read outside of a heap allocated buffer when doing FTP. When libcurl connects to an FTP server and successfully logs in (anonymous or not), it asks the server for the current directory with the PWD command. The server then responds with a 257 response containing the path, inside double quotes. The returned path name is then kept by libcurl for subsequent uses. Due to a flaw in the string parser for this directory name, a directory name passed like this but without a closing double quote would lead to libcurl not adding a trailing NUL byte to the buffer holding the name. When libcurl would then later access the string, it could read beyond the allocated heap buffer and crash or wrongly access data beyond the buffer, thinking it was part of the path. A malicious server could abuse this fact and effectively prevent libcurl-based clients to work with it - the PWD command is always issued on new FTP connections and the mistake has a high chance of causing a segfault. The simple fact that this has issue remained undiscovered for this long could suggest that malformed PWD responses are rare in benign servers. We are not aware of any exploit of this flaw. This bug was introduced in commit 415d2e7cb7, March 2005. In libcurl version 7.56.0, the parser always zero terminates the string but also rejects it if not terminated properly with a final double quote.

References

Affected packages

Alpine:v3.3 / curl

Package

Name
curl
Purl
pkg:apk/alpine/curl?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
7.55.0-r1

Affected versions

7.*

7.19.2-r0
7.19.2-r1
7.19.4-r0
7.19.5-r0
7.19.6-r0
7.19.7-r0
7.19.7-r1
7.20.1-r0
7.20.1-r1
7.21.0-r0
7.21.1-r0
7.21.2-r0
7.21.3-r0
7.21.3-r1
7.21.4-r0
7.21.4-r1
7.21.5-r0
7.21.5-r1
7.21.6-r0
7.21.7-r0
7.21.7-r1
7.21.7-r2
7.22.0-r0
7.23.1-r0
7.24.0-r0
7.25.0-r0
7.26.0-r0
7.27.0-r0
7.27.0-r1
7.28.0-r0
7.28.1-r0
7.29.0-r0
7.30.0-r0
7.31.0-r0
7.32.0-r0
7.33.0-r0
7.33.0-r1
7.34.0-r0
7.34.0-r1
7.35.0-r0
7.36.0-r0
7.37.0-r0
7.37.1-r0
7.38.0-r0
7.39.0-r0
7.40.0-r0
7.41.0-r0
7.42.0-r0
7.42.1-r0
7.42.1-r1
7.43.0-r0
7.44.0-r0
7.45.0-r0
7.45.0-r1
7.46.0-r0
7.46.0-r1
7.47.0-r0
7.49.1-r0
7.49.1-r1
7.49.1-r2
7.49.1-r3
7.49.1-r4
7.52.1-r0
7.52.1-r1
7.55.0-r0

Alpine:v3.4 / curl

Package

Name
curl
Purl
pkg:apk/alpine/curl?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
7.55.0-r1

Affected versions

7.*

7.19.2-r0
7.19.2-r1
7.19.4-r0
7.19.5-r0
7.19.6-r0
7.19.7-r0
7.19.7-r1
7.20.1-r0
7.20.1-r1
7.21.0-r0
7.21.1-r0
7.21.2-r0
7.21.3-r0
7.21.3-r1
7.21.4-r0
7.21.4-r1
7.21.5-r0
7.21.5-r1
7.21.6-r0
7.21.7-r0
7.21.7-r1
7.21.7-r2
7.22.0-r0
7.23.1-r0
7.24.0-r0
7.25.0-r0
7.26.0-r0
7.27.0-r0
7.27.0-r1
7.28.0-r0
7.28.1-r0
7.29.0-r0
7.30.0-r0
7.31.0-r0
7.32.0-r0
7.33.0-r0
7.33.0-r1
7.34.0-r0
7.34.0-r1
7.35.0-r0
7.36.0-r0
7.37.0-r0
7.37.1-r0
7.38.0-r0
7.39.0-r0
7.40.0-r0
7.41.0-r0
7.42.0-r0
7.42.1-r0
7.42.1-r1
7.43.0-r0
7.44.0-r0
7.45.0-r0
7.45.0-r1
7.46.0-r0
7.46.0-r1
7.46.0-r2
7.47.0-r0
7.47.1-r0
7.48.0-r0
7.49.0-r0
7.49.1-r0
7.50.1-r0
7.50.2-r0
7.50.3-r0
7.51.0-r0
7.52.1-r0
7.52.1-r1
7.52.1-r2
7.55.0-r0

Alpine:v3.5 / curl

Package

Name
curl
Purl
pkg:apk/alpine/curl?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
7.56.0-r0

Affected versions

7.*

7.19.2-r0
7.19.2-r1
7.19.4-r0
7.19.5-r0
7.19.6-r0
7.19.7-r0
7.19.7-r1
7.20.1-r0
7.20.1-r1
7.21.0-r0
7.21.1-r0
7.21.2-r0
7.21.3-r0
7.21.3-r1
7.21.4-r0
7.21.4-r1
7.21.5-r0
7.21.5-r1
7.21.6-r0
7.21.7-r0
7.21.7-r1
7.21.7-r2
7.22.0-r0
7.23.1-r0
7.24.0-r0
7.25.0-r0
7.26.0-r0
7.27.0-r0
7.27.0-r1
7.28.0-r0
7.28.1-r0
7.29.0-r0
7.30.0-r0
7.31.0-r0
7.32.0-r0
7.33.0-r0
7.33.0-r1
7.34.0-r0
7.34.0-r1
7.35.0-r0
7.36.0-r0
7.37.0-r0
7.37.1-r0
7.38.0-r0
7.39.0-r0
7.40.0-r0
7.41.0-r0
7.42.0-r0
7.42.1-r0
7.42.1-r1
7.43.0-r0
7.44.0-r0
7.45.0-r0
7.45.0-r1
7.46.0-r0
7.46.0-r1
7.46.0-r2
7.47.0-r0
7.47.1-r0
7.48.0-r0
7.49.0-r0
7.49.1-r0
7.50.0-r0
7.50.1-r0
7.50.2-r0
7.50.3-r0
7.50.3-r1
7.51.0-r0
7.51.0-r1
7.52.0-r0
7.52.1-r0
7.52.1-r1
7.52.1-r2
7.52.1-r3
7.55.0-r0

Alpine:v3.6 / curl

Package

Name
curl
Purl
pkg:apk/alpine/curl?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
7.56.0-r0

Affected versions

7.*

7.19.2-r0
7.19.2-r1
7.19.4-r0
7.19.5-r0
7.19.6-r0
7.19.7-r0
7.19.7-r1
7.20.1-r0
7.20.1-r1
7.21.0-r0
7.21.1-r0
7.21.2-r0
7.21.3-r0
7.21.3-r1
7.21.4-r0
7.21.4-r1
7.21.5-r0
7.21.5-r1
7.21.6-r0
7.21.7-r0
7.21.7-r1
7.21.7-r2
7.22.0-r0
7.23.1-r0
7.24.0-r0
7.25.0-r0
7.26.0-r0
7.27.0-r0
7.27.0-r1
7.28.0-r0
7.28.1-r0
7.29.0-r0
7.30.0-r0
7.31.0-r0
7.32.0-r0
7.33.0-r0
7.33.0-r1
7.34.0-r0
7.34.0-r1
7.35.0-r0
7.36.0-r0
7.37.0-r0
7.37.1-r0
7.38.0-r0
7.39.0-r0
7.40.0-r0
7.41.0-r0
7.42.0-r0
7.42.1-r0
7.42.1-r1
7.43.0-r0
7.44.0-r0
7.45.0-r0
7.45.0-r1
7.46.0-r0
7.46.0-r1
7.46.0-r2
7.47.0-r0
7.47.1-r0
7.48.0-r0
7.49.0-r0
7.49.1-r0
7.50.0-r0
7.50.1-r0
7.50.2-r0
7.50.3-r0
7.50.3-r1
7.51.0-r0
7.51.0-r1
7.52.0-r0
7.52.1-r0
7.52.1-r1
7.53.0-r0
7.53.1-r0
7.53.1-r1
7.53.1-r2
7.53.1-r3
7.54.0-r0
7.55.0-r0

Debian:11 / curl

Package

Name
curl
Purl
pkg:deb/debian/curl?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
7.56.1-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:12 / curl

Package

Name
curl
Purl
pkg:deb/debian/curl?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
7.56.1-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:13 / curl

Package

Name
curl
Purl
pkg:deb/debian/curl?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
7.56.1-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Git / github.com/curl/curl

Affected ranges

Type
GIT
Repo
https://github.com/curl/curl
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
042cc1f69ec0878f542667cb684378869f859911
Last affected
06bf874bbca0a5c600b210b5db920eff9f95f0d0
Last affected
0966b324d911423c81351fb12e9219f71cd63be8
Last affected
11a7ac0d6a84290001a5239df37bbca4270b17d4
Last affected
123c7b32db965eeae2601fa8c2939a890668f5c5
Last affected
139ab3740ae7cf5228bfb41a09d003da00d02756
Last affected
16fe0c9be3d8d3b4e81870645eb8b8c98dbfe94a
Last affected
1a7f66a3de2625d10f65415e6eb3e56067dc0555
Last affected
1b6c683ca6ddb33d35f07c2fbb89d4622d338048
Last affected
1d3969b2152be0600484ade0aa76b37df6e67576
Last affected
1dc54324f4ea1e18df4364dc130af9b3f8c7a401
Last affected
202aa9f7758636730299b86715d924f54468a908
Last affected
22691f849ac959ffaa821a3ca7f746ee54bd5e52
Last affected
23cf63f550c88ad50b57b1818322b8104e0f0943
Last affected
259ac2dd77174efd3b33e20c400380bcfcd23913
Last affected
25df50aa3392ecdbf2b8256b93b30558e8b3a810
Last affected
2679562dc7685674998f2841811d361400ae0d19
Last affected
2a05025510dcae46ac01fd457942061052ebed1b
Last affected
2bf90d071016e279796e789f0ac223d635671a41
Last affected
2c000d91f3c423cee0af44e8afc79b9d25a9e714
Last affected
303bfc1024d948a5ba134ccfc106f82c0b4fd675
Last affected
30c85c327bf7c6980a10558c4504031791194c09
Last affected
323273382c9205b71a1b4e97d136da6b2d2f64c0
Last affected
329bcf3a7117c7e5c26d7c8f840af64fb7140753
Last affected
33c02d47711c81087d232c7e0e66b74ab61c14d5
Last affected
3654bd1b56f99937c038854de7b7229ba75e2916
Last affected
38e07886ed2792988217a2ffa482ce3a69ca92c2
Last affected
39626d8cfdd8f858d2fa67ec18204ebc5913d532
Last affected
3c561c657c2f0e553b19115a506592a8bbd744bc
Last affected
3cda1a23ce3eac67ff2689e74318377595761475
Last affected
3fed9acaef45ac8b99ceecc38afbed3494e2d3ef
Last affected
44b9b4d4f56d6f6de92c89636994c03984e9cd01
Last affected
4a9e12542dba5d3ce4b6205f1ec58e1336bc4b0e
Last affected
4b1782c37141b82aa118eaf05061bb9ba1759700
Last affected
4d2cb8b32aa7dbd2607a522ee63193c151665766
Last affected
4f0258ec09ceb5cdb26f6c7d0840e53f11d3fc54
Last affected
4f041c9d6e61829310eb0715d8edb2a232478123
Last affected
4feb6e6d035d5d66984957c8ca22bc9a05df527f
Last affected
50a53d4eecec60d348100e8506bd01fefd2b5f7f
Last affected
5370d7a6ebebecd8aff515d3b7528bf24d49b587
Last affected
546572da0457f37c698c02d0a08d90fdfcbeedec
Last affected
54b636f14546d3fde9f9c67c3b32701d78563161
Last affected
55225106b6a0ecface0f129367e533736a874a91
Last affected
5c2df3e1a4da7b17ae053ee8c4ecef5eb2d30464
Last affected
6247b6d4685beee6362f76664bb50963d40e651d
Last affected
64c613c27abb58503eb8a966bee1489562060da0
Last affected
67273eed9bc06b864bfb5882fc87ee6cd891be38
Last affected
67fe54d918a3b42a24cb7f5db81514c10e239735
Last affected
6bf9d564856c76a54147d313decd81d1b3445d7d
Last affected
6d7d0eba6d95fd5122b2d2a52f77da510bfefb3b
Last affected
6e1a986e0f35cf36618bd88f42e14ea856b6951b
Last affected
6ebc2b25611ea1e382bedbf6f6af1ac7a6488bae
Last affected
7010e5ea845bd0f9cd377cd60573a5d3d34f6585
Last affected
70812c2f32fc5734bcbbe572b9f61c380433ad6a
Last affected
719bec26063e34a111053efa9fadaa14b17ac42b
Last affected
79e63a53bb9598af863b0afe49ad662795faeef4
Last affected
7dbad3c382a2f346af2f5160aa88cd28c03fbc85
Last affected
7e16ec872438e6df9172d3ad18b1117448cf6a93
Last affected
80d241046e404233537ff35efabb703a0668c7d5
Last affected
81219e80309fc21d379760a3852a832a73204215
Last affected
8249b0522d371679f2cd2516045a5f938ea36a53
Last affected
827f0a318cdbf73800c2366cf6a3132f2b2a7c49
Last affected
8548c2fc61c153075c4edcf9b810132803f4d612
Last affected
85c710e11e7a7c1caf02962bbbdc08a5561ae769
Last affected
874fc8228a1126d2217f195aa674dfb4fbdf2002
Last affected
8839c05fba1f8415eec17eff8ac60cc3a50eb51e
Last affected
8986c86e1ef297e95518ae4695339f2d64d913cf
Last affected
8da5da9b6544337b8a675db092da201f279265d4
Last affected
8f995e2e0022292374fc99a2277069b08ad98b5c
Last affected
9549cfde02d72812c5cc1ce241955382b5bc371f
Last affected
95a4b8db680beeca879f39c161296d29e22138f1
Last affected
95c717bbd9c327c38b4efcc37d5cda29b8ee2a36
Last affected
95ddbdb1dbfbb051d67bf0d6643b1a917a4c7d88
Last affected
96cec4dfd7daa3ff87bad2140f28745d8417581e
Last affected
9819cec61b00cc872136ea5faf469627b3b87e69
Last affected
9ce2d7001939b795b45a8ce7700d1a3dcde0475d
Last affected
9ce6d0d52821c6e33506cb173f0e27c68014e60e
Last affected
a5b206f3981c3637699d5750766601bd626c240b
Last affected
a5ee8d50c3faf1359f039c87a3d2dfee9f45d566
Last affected
a6ba9e5ccd782d986f6dc5e74ec2ba8ad49be7be
Last affected
a7135ac3c3d825ec9f4919ee0212434e01e76b4c
Last affected
a7b98f5f6b8e4abbaf32314f68b1e43948df2271
Last affected
a8e063b0877da005342b3445c5535a5bce0d5bc5
Last affected
b122959c8b78b5359184f30c4fb2c86d2b6d7594
Last affected
b238e0b1b4e8f3e5c4e9c0d7d8c565e3776b0999
Last affected
b8d006b9d79e8ba726a14b55b6e26f9883f3ecee
Last affected
b9660dc4b290781ff6535dec32258ec14e6ff0b5
Last affected
b9fdb721f2948487fcffe34ad60790a83379e1b9
Last affected
bdb5e5a25037a585e0ec6b83d29b25961c6823f8
Last affected
bdd731177ed9db37eab4d9f594f24491ef2fe438
Last affected
bf633a584dcbb0f80273ba856b7198ad1e395315
Last affected
bf9b9ca29d7bd7c81db6d0e4a85356831572f28d
Last affected
bfd00ac2ed315d8a309483eafb022e3cbe424326
Last affected
c1babfad8a98a5fe28e2106d95e1bd7eeafcdb46
Last affected
c262c35676a2c3240da433e7a4428ac2129b445f
Last affected
c2d4fd876c77132caf593e397db615eb12266c7d
Last affected
c7e9e60b05b0c3f2f09570cb3089faf58ea51d49
Last affected
c96f7f13dac506dee5ae8988eb98f024bf009e70
Last affected
cf93a7b364a70b56150cf6ea77492b799ec02a45
Last affected
d1b94a5f3fb45c64dc0c5026b09c910cb2bc7478
Last affected
d2174da6416b9042e38ac3be12ec287b755a77dc
Last affected
d37145834876308121d3e825c85b08bec0b3ff97
Last affected
d957e2189fdc73cef0ff3d1fb58043d354754449
Last affected
da30242640bf36265902925d0e1d46dabfd53a3e
Last affected
da59692067627f060cef15cade11029b9236940e
Last affected
df5169fa35f31ebe10893f2a3416ec8e8d8faa20
Last affected
e2ae32ff5f3ab6f0819590f61f248f17df12987f
Last affected
e2e64798b5d3f1d1c75386448a6a56480828c0e5
Last affected
e91d167ff8cb89523447680e3560f60d93615055
Last affected
edb17560509831e8caa1fcf3fe70000196f44294
Last affected
ef442d58039106eee596d09dd47e2bd6aa1ec032
Last affected
f2cb3a01192d36395d16acec6cdb93446ca6fd45
Last affected
f2f07dad3451d1f63b56d3de0b43160c39d275d7
Last affected
f49df54a36a39995be32782154f3ca2692f17ac4
Last affected
f77e89c5d20db09eaebf378ec036a7e796932810
Last affected
fadf0775023875306b1a559763be3311472b2de1
Last affected
ff837422ee4ec7d6aea7750a40e30cba29db93e8

Affected versions

Other

Curl_easy_1-1-7
Curl_easy_1-1-8
before_ftp_statemachine
before_urldata_rename
c-ares-1_2_0
c-ares-1_3_0
curl-6_5
curl-6_5_1
curl-6_5_2
curl-7_10
curl-7_10_1
curl-7_10_2
curl-7_10_3
curl-7_10_4
curl-7_10_5
curl-7_10_6
curl-7_10_7
curl-7_10_8
curl-7_11_0
curl-7_11_1
curl-7_11_2
curl-7_12_0
curl-7_12_1
curl-7_12_2
curl-7_12_3
curl-7_13_0
curl-7_13_1
curl-7_13_2
curl-7_14_0
curl-7_14_1
curl-7_15_0
curl-7_15_1
curl-7_15_2
curl-7_15_3
curl-7_15_4
curl-7_15_5
curl-7_15_6-prepipeline
curl-7_16_0
curl-7_16_1
curl-7_16_2
curl-7_16_3
curl-7_16_4
curl-7_17_0
curl-7_17_0-preldapfix
curl-7_17_1
curl-7_18_0
curl-7_18_1
curl-7_18_2
curl-7_19_0
curl-7_19_1
curl-7_19_2
curl-7_19_3
curl-7_19_4
curl-7_1_1
curl-7_2
curl-7_3
curl-7_4_1
curl-7_5
curl-7_5_2
curl-7_6
curl-7_6-pre4
curl-7_6_1
curl-7_6_1-pre1
curl-7_6_1-pre2
curl-7_6_1-pre3
curl-7_7
curl-7_7-beta1
curl-7_7-beta2
curl-7_7-beta3
curl-7_7-beta5
curl-7_7_1
curl-7_7_2
curl-7_7_3
curl-7_7_alpha2
curl-7_8
curl-7_8-pre2
curl-7_8_1
curl-7_8_1-pre3
curl-7_9
curl-7_9_1
curl-7_9_2
curl-7_9_3
curl-7_9_3-pre1
curl-7_9_3-pre2
curl-7_9_3-pre3
curl-7_9_4
curl-7_9_5
curl-7_9_5-pre2
curl-7_9_5-pre4
curl-7_9_6
curl-7_9_7
curl-7_9_7-pre2
curl-7_9_8
curl_7_6-pre3
v7_0_2beta