(Ubuntu Issues Fix) cURL URL Globbing Flaw Lets Local Users View Portions of System Memory on the Target System
|
SecurityTracker Alert ID: 1039546 |
SecurityTracker URL: http://securitytracker.com/id/1039546
|
CVE Reference:
CVE-2017-1000101
(Links to External Site)
|
Date: Oct 11 2017
|
Impact:
Disclosure of system information
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 7.34.0 - 7.54.1
|
Description:
A vulnerability was reported in cURL. A local user can obtain potentially sensitive information from system memory.
A local user can supply a URL containing specially crafted numerical range characters to trigger a heap read error and obtain potentially sensitive information from system memory on the target system.
A demonstration exploit URL is provided:
http://ur%20[0-60000000000000000000
The command line tool is affected.
The libcurl library is not affected.
Brian Carpenter and Yongji Ouyang independently reported this vulnerability.
|
Impact:
A local user can obtain potentially sensitive information from system memory on the target system.
|
Solution:
Ubuntu has issued a fix.
The Ubuntu advisory is available at:
https://www.ubuntu.com/usn/usn-3441-1
|
Vendor URL: www.ubuntu.com/usn/usn-3441-1 (Links to External Site)
|
Cause:
Boundary error
|
Underlying OS: Linux (Ubuntu)
|
Underlying OS Comments: 14.04 LTS, 16.04 LTS, 17.04
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
|
[Original Message Not Available for Viewing]
|
|