Huawei EulerOS Local Security Checks : Huawei EulerOS: Security Advisory for curl (EulerOS-SA-2017-1288)

Vulnerability Search		Search 324607 CVE descriptions and 145615 test descriptions, access 10,000+ cross references.
	Tests CVE All

Test ID: 1.3.6.1.4.1.25623.1.1.2.2017.1288

Category: Huawei EulerOS Local Security Checks

Title: Huawei EulerOS: Security Advisory for curl (EulerOS-SA-2017-1288)

Summary: The remote host is missing an update for the Huawei EulerOS 'curl' package(s) announced via the EulerOS-SA-2017-1288 advisory.

Description: Summary:
The remote host is missing an update for the Huawei EulerOS 'curl' package(s) announced via the EulerOS-SA-2017-1288 advisory.

Vulnerability Insight:
libcurl may read outside of a heap allocated buffer when doing FTP. When libcurl connects to an FTP server and successfully logs in (anonymous or not), it asks the server for the current directory with the `PWD` command. The server then responds with a 257 response containing the path, inside double quotes. The returned path name is then kept by libcurl for subsequent uses. Due to a flaw in the string parser for this directory name, a directory name passed like this but without a closing double quote would lead to libcurl not adding a trailing NUL byte to the buffer holding the name. When libcurl would then later access the string, it could read beyond the allocated heap buffer and crash or wrongly access data beyond the buffer, thinking it was part of the path. A malicious server could abuse this fact and effectively prevent libcurl-based clients to work with it - the PWD command is always issued on new FTP connections and the mistake has a high chance of causing a segfault. The simple fact that this has issue remained undiscovered for this long could suggest that malformed PWD responses are rare in benign servers. We are not aware of any exploit of this flaw. This bug was introduced in commit [415d2e7cb7]([link moved to references]), March 2005. In libcurl version 7.56.0, the parser always zero terminates the string but also rejects it if not terminated properly with a final double quote.(CVE-2017-1000254)

Affected Software/OS:
'curl' package(s) on Huawei EulerOS V2.0SP2.

Solution:
Please install the updated package(s).

CVSS Score:
5.0

CVSS Vector:
AV:N/AC:L/Au:N/C:N/I:N/A:P

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2017-1000254
BugTraq ID: 101115
http://www.securityfocus.com/bid/101115
Debian Security Information: DSA-3992 (Google Search)
http://www.debian.org/security/2017/dsa-3992
https://security.gentoo.org/glsa/201712-04
https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@%3Cissues.bookkeeper.apache.org%3E
https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@%3Cissues.bookkeeper.apache.org%3E
RedHat Security Advisories: RHSA-2018:2486
https://access.redhat.com/errata/RHSA-2018:2486
RedHat Security Advisories: RHSA-2018:3558
https://access.redhat.com/errata/RHSA-2018:3558
http://www.securitytracker.com/id/1039509

Copyright Copyright (C) 2020 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit.
To run a free test of this vulnerability against your system, register below.

Test ID:	1.3.6.1.4.1.25623.1.1.2.2017.1288
Category:	Huawei EulerOS Local Security Checks
Title:	Huawei EulerOS: Security Advisory for curl (EulerOS-SA-2017-1288)
Summary:	The remote host is missing an update for the Huawei EulerOS 'curl' package(s) announced via the EulerOS-SA-2017-1288 advisory.
Description:	Summary: The remote host is missing an update for the Huawei EulerOS 'curl' package(s) announced via the EulerOS-SA-2017-1288 advisory. Vulnerability Insight: libcurl may read outside of a heap allocated buffer when doing FTP. When libcurl connects to an FTP server and successfully logs in (anonymous or not), it asks the server for the current directory with the `PWD` command. The server then responds with a 257 response containing the path, inside double quotes. The returned path name is then kept by libcurl for subsequent uses. Due to a flaw in the string parser for this directory name, a directory name passed like this but without a closing double quote would lead to libcurl not adding a trailing NUL byte to the buffer holding the name. When libcurl would then later access the string, it could read beyond the allocated heap buffer and crash or wrongly access data beyond the buffer, thinking it was part of the path. A malicious server could abuse this fact and effectively prevent libcurl-based clients to work with it - the PWD command is always issued on new FTP connections and the mistake has a high chance of causing a segfault. The simple fact that this has issue remained undiscovered for this long could suggest that malformed PWD responses are rare in benign servers. We are not aware of any exploit of this flaw. This bug was introduced in commit [415d2e7cb7]([link moved to references]), March 2005. In libcurl version 7.56.0, the parser always zero terminates the string but also rejects it if not terminated properly with a final double quote.(CVE-2017-1000254) Affected Software/OS: 'curl' package(s) on Huawei EulerOS V2.0SP2. Solution: Please install the updated package(s). CVSS Score: 5.0 CVSS Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2017-1000254 BugTraq ID: 101115 http://www.securityfocus.com/bid/101115 Debian Security Information: DSA-3992 (Google Search) http://www.debian.org/security/2017/dsa-3992 https://security.gentoo.org/glsa/201712-04 https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@%3Cissues.bookkeeper.apache.org%3E https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@%3Cissues.bookkeeper.apache.org%3E RedHat Security Advisories: RHSA-2018:2486 https://access.redhat.com/errata/RHSA-2018:2486 RedHat Security Advisories: RHSA-2018:3558 https://access.redhat.com/errata/RHSA-2018:3558 http://www.securitytracker.com/id/1039509
Copyright	Copyright (C) 2020 Greenbone AG