SB2017042519 - Buffer overflow in curl (Alpine package)
Published: April 25, 2017
Security Bulletin ID
SB2017042519
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Physical access
Highest impact
Information disclosure
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Buffer overflow (CVE-ID: CVE-2017-7407)
The vulnerability allows a local non-authenticated attacker to gain access to sensitive information.
The ourWriteOut function in tool_writeout.c in curl 7.53.1 might allow physically proximate attackers to obtain sensitive information from process memory in opportunistic circumstances by reading a workstation screen during use of a --write-out argument ending in a '%' character, which leads to a heap-based buffer over-read.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=e57c1f8b95e9a6aecc75e9eaae6c7bf9e259adb6
- https://git.alpinelinux.org/aports/commit/?id=7079fe21530ae1c8147925d8b591131b786ab2e9
- https://git.alpinelinux.org/aports/commit/?id=8e6f31c56dbe2966fb43113f9c7c1039bbef9865
- https://git.alpinelinux.org/aports/commit/?id=619d9f8608068fab555a9a54e6154eb798eb5c2c
- https://git.alpinelinux.org/aports/commit/?id=02d241912508f1cd6d33a41a8b8a0117385fdbbe
- https://git.alpinelinux.org/aports/commit/?id=085ece4cfcbecb4f3ff3bbd6ea2696099f7ba414
- https://git.alpinelinux.org/aports/commit/?id=39696e7a1a7079578ea07cb9514fd0c50105340e
- https://git.alpinelinux.org/aports/commit/?id=4bd40a7ac5ab979704fdf2142af6cbbe2a9329a4