CVE-2017-1000257 - OpenCVE

An IMAP FETCH response line indicates the size of the returned data, in number of bytes. When that response says the data is zero bytes, libcurl would pass on that (non-existing) data with a pointer and the size (zero) to the deliver-data function. libcurl's deliver-data function treats zero as a magic number and invokes strlen() on the data to figure out the length. The strlen() is called on a heap based buffer that might not be zero terminated so libcurl might read beyond the end of it into whatever memory lies after (or just crash) and then deliver that to the application as if it was actually downloaded.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:N/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Debian	Debian Linux
Haxx	Libcurl

Configuration 1 [-]

cpe:2.3:a:haxx:libcurl:*:*:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:o:debian:debian_linux:8.0:::::::*
	cpe:2.3:o:debian:debian_linux:9.0:::::::*

References

Link	Resource
http://www.debian.org/security/2017/dsa-4007	Third Party Advisory
http://www.securityfocus.com/bid/101519	Third Party Advisory VDB Entry
http://www.securitytracker.com/id/1039644	Third Party Advisory VDB Entry
https://access.redhat.com/errata/RHSA-2017:3263
https://access.redhat.com/errata/RHSA-2018:2486
https://access.redhat.com/errata/RHSA-2018:3558
https://curl.haxx.se/docs/adv_20171023.html	Vendor Advisory
https://security.gentoo.org/glsa/201712-04

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2017-10-31T21:00:00

Updated: 2018-11-13T10:57:01

Reserved: 2017-10-31T00:00:00

Link: CVE-2017-1000257

JSON object: View

NVD Information

Status : Modified

Published: 2017-10-31T21:29:00.203

Modified: 2018-11-13T11:29:07.977

Link: CVE-2017-1000257

JSON object: View

Redhat Information

No data.

CWE

CWE-119

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "dateAssigned": "2017-10-17T00:00:00", "datePublic": "2017-10-31T00:00:00", "descriptions": [{"lang": "en", "value": "An IMAP FETCH response line indicates the size of the returned data, in number of bytes. When that response says the data is zero bytes, libcurl would pass on that (non-existing) data with a pointer and the size (zero) to the deliver-data function. libcurl's deliver-data function treats zero as a magic number and invokes strlen() on the data to figure out the length. The strlen() is called on a heap based buffer that might not be zero terminated so libcurl might read beyond the end of it into whatever memory lies after (or just crash) and then deliver that to the application as if it was actually downloaded."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-11-13T10:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://curl.haxx.se/docs/adv_20171023.html"}, {"name": "RHSA-2017:3263", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2017:3263"}, {"name": "GLSA-201712-04", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/201712-04"}, {"name": "1039644", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1039644"}, {"name": "RHSA-2018:3558", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2018:3558"}, {"name": "101519", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/101519"}, {"name": "DSA-4007", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2017/dsa-4007"}, {"name": "RHSA-2018:2486", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2018:2486"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "DATE_ASSIGNED": "2017-10-17", "ID": "CVE-2017-1000257", "REQUESTER": "daniel@haxx.se", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An IMAP FETCH response line indicates the size of the returned data, in number of bytes. When that response says the data is zero bytes, libcurl would pass on that (non-existing) data with a pointer and the size (zero) to the deliver-data function. libcurl's deliver-data function treats zero as a magic number and invokes strlen() on the data to figure out the length. The strlen() is called on a heap based buffer that might not be zero terminated so libcurl might read beyond the end of it into whatever memory lies after (or just crash) and then deliver that to the application as if it was actually downloaded."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://curl.haxx.se/docs/adv_20171023.html", "refsource": "CONFIRM", "url": "https://curl.haxx.se/docs/adv_20171023.html"}, {"name": "RHSA-2017:3263", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2017:3263"}, {"name": "GLSA-201712-04", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201712-04"}, {"name": "1039644", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1039644"}, {"name": "RHSA-2018:3558", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2018:3558"}, {"name": "101519", "refsource": "BID", "url": "http://www.securityfocus.com/bid/101519"}, {"name": "DSA-4007", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2017/dsa-4007"}, {"name": "RHSA-2018:2486", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2018:2486"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2017-1000257", "datePublished": "2017-10-31T21:00:00", "dateReserved": "2017-10-31T00:00:00", "dateUpdated": "2018-11-13T10:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:haxx:libcurl:*:*:*:*:*:*:*:*", "matchCriteriaId": "A472460B-2EE1-49F4-BF4F-CFFB6EDDEE8A", "versionEndIncluding": "7.56.0", "versionStartIncluding": "7.20.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An IMAP FETCH response line indicates the size of the returned data, in number of bytes. When that response says the data is zero bytes, libcurl would pass on that (non-existing) data with a pointer and the size (zero) to the deliver-data function. libcurl's deliver-data function treats zero as a magic number and invokes strlen() on the data to figure out the length. The strlen() is called on a heap based buffer that might not be zero terminated so libcurl might read beyond the end of it into whatever memory lies after (or just crash) and then deliver that to the application as if it was actually downloaded."}, {"lang": "es", "value": "Una l\u00ednea de respuesta IMAP FETCH indica el tama\u00f1o de los datos devueltos en n\u00famero de bytes. Cuando una respuesta indica que el tama\u00f1o de los datos es cero bytes, libcurl pasar\u00eda esos datos (inexistentes) con un puntero y el tama\u00f1o (cero) a la funci\u00f3n deliver-data. La funci\u00f3n deliver-data de libcurl trata el cero como un n\u00famero m\u00e1gico e invoca strlen() en los datos para adivinar la longitud. Se llama a strlen() en un b\u00fafer basado en memoria din\u00e1mica (heap) que podr\u00eda no terminar en cero, por lo que libcurl podr\u00eda leer m\u00e1s all\u00e1 del final del b\u00fafer en cualquier memoria en la que se encuentre despu\u00e9s (o simplemente provocar un cierre inesperado) y entregar los datos a la aplicaci\u00f3n como si en realidad se hubieran descargado."}], "id": "CVE-2017-1000257", "lastModified": "2018-11-13T11:29:07.977", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.4, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-10-31T21:29:00.203", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://www.debian.org/security/2017/dsa-4007"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/101519"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securitytracker.com/id/1039644"}, {"source": "cve@mitre.org", "url": "https://access.redhat.com/errata/RHSA-2017:3263"}, {"source": "cve@mitre.org", "url": "https://access.redhat.com/errata/RHSA-2018:2486"}, {"source": "cve@mitre.org", "url": "https://access.redhat.com/errata/RHSA-2018:3558"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://curl.haxx.se/docs/adv_20171023.html"}, {"source": "cve@mitre.org", "url": "https://security.gentoo.org/glsa/201712-04"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-119"}], "source": "nvd@nist.gov", "type": "Primary"}]}