Other IDs this deficiency may be known by:
|Date Last Modified
Version Specific Information:
|Cucumber 1.0 i686||fixed in curl-7.56.1-i686-1 |
|Cucumber 1.0 x86_64||fixed in curl-7.56.1-x86_64-1 and curl-lib_i686-7.56.1-lib_i686-1 |
|Cucumber 1.1 i686
||fixed in curl-7.56.1-i686-1 |
|Cucumber 1.1 x86_64
||fixed in curl-7.56.1-x86_64-1 and curl-lib_i686-7.56.1-lib_i686-1 |
libcurl contains a buffer overrun flaw in the IMAP handler.
An IMAP FETCH response line indicates the size of the returned data, in number
of bytes. When that response says the data is zero bytes, libcurl would pass on
that (non-existing) data with a pointer and the size (zero) to the deliver-data
libcurl's deliver-data function treats zero as a magic number and invokes
strlen() on the data to figure out the length. The strlen() is called on a heap
based buffer that might not be zero terminated so libcurl might read beyond the
end of it into whatever memory lies after (or just crash) and then deliver that
to the application as if it was actually downloaded.
As of Mon Oct 23 09:49:27 EDT 2017, the curl developers are not aware of any
exploit of this flaw (https://curl.haxx.se/docs/adv_20171023.html).