svn commit: r451185 - head/security/vuxml

Bernard Spil brnrd at FreeBSD.org
Wed Oct 4 07:56:05 UTC 2017 

Author: brnrd
Date: Wed Oct  4 07:56:03 2017
New Revision: 451185
URL: https://svnweb.freebsd.org/changeset/ports/451185

Log:
  security/vuxml: Document latest cURL vulnerability

Modified:
  head/security/vuxml/vuln.xml

Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml	Wed Oct  4 07:53:36 2017	(r451184)
+++ head/security/vuxml/vuln.xml	Wed Oct  4 07:56:03 2017	(r451185)
@@ -58,6 +58,48 @@ Notes:
   * Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="ccace707-a8d8-11e7-ac58-b499baebfeaf">
+    <topic>cURL -- out of bounds read</topic>
+    <affects>
+      <package>
+	<name>curl</name>
+	<range><lt>7.56.0</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>The cURL project reports:</p>
+	<blockquote cite="https://curl.haxx.se/docs/adv_20171004.html">
+	  <p>FTP PWD response parser out of bounds read</p>
+	  <p>libcurl may read outside of a heap allocated buffer when doing FTP.</p>
+	  <p>When libcurl connects to an FTP server and successfully logs in
+	    (anonymous or not), it asks the server for the current directory with
+	    the PWD command. The server then responds with a 257 response containing
+	    the path, inside double quotes. The returned path name is then kept by
+	    libcurl for subsequent uses.</p>
+	  <p>Due to a flaw in the string parser for this directory name, a directory
+	    name passed like this but without a closing double quote would lead to
+	    libcurl not adding a trailing NUL byte to the buffer holding the name.
+	    When libcurl would then later access the string, it could read beyond
+	    the allocated heap buffer and crash or wrongly access data beyond the
+	    buffer, thinking it was part of the path.</p>
+	  <p>A malicious server could abuse this fact and effectively prevent
+	    libcurl-based clients to work with it - the PWD command is always issued
+	    on new FTP connections and the mistake has a high chance of causing a
+	    segfault.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <url>https://curl.haxx.se/docs/adv_20171004.html</url>
+      <cvename>CVE-2017-1000254</cvename>
+    </references>
+    <dates>
+      <discovery>2017-10-04</discovery>
+      <entry>2017-10-04</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="6ed5c5e3-a840-11e7-b5af-a4badb2f4699">
     <topic>FreeBSD -- OpenSSH Denial of Service vulnerability</topic>
     <affects>

More information about the svn-ports-head mailing list