CLD-162 Details

Other IDs this deficiency may be known by:

CVE ID CVE-2017-8817 (nvd) (mitre) (debian) (archlinux) (red hat) (suse) (ubuntu)
Other ID(s) adv_2017-ae72

Basic Information:

Affected Package(s) curl
Deficiency Type SECURITY
Date Created 2017-11-29 09:05:48
Date Last Modified 2017-11-29 15:02:37

Version Specific Information:

Cucumber 1.0 i686fixed in curl-7.57.0-i686-1
Cucumber 1.0 x86_64fixed in curl-7.57.0-x86_64-1 and curl-lib_i686-7.57.0-lib_i686-1

Cucumber 1.1 i686 fixed in curl-7.57.0-i686-1
Cucumber 1.1 x86_64 fixed in curl-7.57.0-x86_64-1 and curl-lib_i686-7.57.0-lib_i686-1


================================ Initial Report ================================

From Curl Security (

libcurl contains a read out of bounds flaw in the FTP wildcard function.

libcurl's FTP wildcard matching feature, which is enabled with the
CURLOPT_WILDCARDMATCH option can use a built-in wildcard function or a user
provided one. The built-in wildcard function has a flaw that makes it not detect
the end of the pattern string if it ends with an open bracket ([) but instead it
will continue reading the heap beyond the end of the URL buffer that holds the

For applications that use HTTP(S) URLs, allow libcurl to handle redirects and
have FTP wildcards enabled, this flaw can be triggered by malicious servers that
can redirect clients to a URL using such a wildcard pattern.

We are not aware of any exploit of this flaw.

This bug was introduced in commit 0825cd80a62c, May 2010.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2017-8817 to this issue.

================================= Our Analysis =================================

----- Affected Products -----
Curl versions after and including 7.21.0 but prior to 7.57.0 that have not had
this patch ( applied are vulnerable to
this vulnerability. 

----- Scope and Impact of this Vulnerability -----
This is a buffer overflow in the HTTPS URL handling portion of libcurl that can
be used to redirect clients to a different URL using a specially crafted
wildcard pattern.

As of Wed Nov 29 09:44:59 EST 2017, there have been no reports of any exploit of
this flaw.

----- Fix for this Vulnerability -----
This vulnerability can be fixed by upgrading to curl 7.57.0 or applying the
patch at

================================= Our Solution =================================

We have upgraded to curl 7.57.0 to fix this vulnerability.