cURL URL Globbing Flaw Lets Local Users View Portions of System Memory on the Target System
SecurityTracker Alert ID: 1039117|
SecurityTracker URL: http://securitytracker.com/id/1039117
(Links to External Site)
Date: Aug 10 2017
Disclosure of system information|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): 7.34.0 - 7.54.1|
A vulnerability was reported in cURL. A local user can obtain potentially sensitive information from system memory.|
A local user can supply a URL containing specially crafted numerical range characters to trigger a heap read error and obtain potentially sensitive information from system memory on the target system.
A demonstration exploit URL is provided:
The command line tool is affected.
The libcurl library is not affected.
Brian Carpenter and Yongji Ouyang independently reported this vulnerability.
A local user can obtain potentially sensitive information from system memory on the target system.|
The vendor has issued a fix (7.55.0).|
The vendor advisory is available at:
Vendor URL: curl.haxx.se/docs/adv_20170809A.html (Links to External Site)
|Underlying OS: Linux (Any), UNIX (Any), Windows (Any)|
This archive entry has one or more follow-up message(s) listed below.|
Source Message Contents
Subject: [oss-security] [SECURITY ADVISORY] curl: URL globbing out of bounds read|
URL globbing out of bounds read
Project curl Security Advisory, August 9th 2017 -
curl supports "globbing" of URLs, in which a user can pass a numerical range
to have the tool iterate over those numbers to do a sequence of transfers.
In the globbing function that parses the numerical range, there was an
omission that made curl read a byte beyond the end of the URL if given a
carefully crafted, or just wrongly written, URL. The URL is stored in a heap
based buffer, so it could then be made to wrongly read something else instead
An example of a URL that triggers the flaw would be
We are not aware of any exploit of this flaw.
This flaw only affects the curl command line tool, not the libcurl
library. The bug was introduced in commit
2013. curl 7.34.0.
For version 7.55.0, the parser properly stops at the end of the string and a
test has been added to verify this.
The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2017-1000101 to this issue.
- Affected versions: curl 7.34.0 to and including 7.54.1
- Not affected versions: curl < 7.34.0 and >= 7.55.1
curl is used by many applications, but not always advertised as such.
A [patch for CVE-2017-1000101](https://curl.haxx.se/CVE-2017-1000101.patch) is
We suggest you take one of the following actions immediately, in order of
A - Upgrade curl to version 7.55.0
B - Apply the patch to your version and rebuild
It was reported to the curl project on June 14, 2017. We contacted
distros@openwall on August 1.
curl 7.55.0 was released on August 9 2017, coordinated with the publication of
Reported by Brian Carpenter and Yongji Ouyang (independently of each
other). Patch by Daniel Stenberg.
Thanks a lot!