CLD-163 Details

Other IDs this deficiency may be known by:

CVE ID CVE-2017-8818 (nvd) (mitre) (debian) (archlinux) (red hat) (suse) (ubuntu)
Other ID(s) adv_2017-af0a

Basic Information:

Affected Package(s) curl
Deficiency Type SECURITY
Date Created 2017-11-29 09:06:29
Date Last Modified 2017-11-29 15:11:58

Version Specific Information:

Cucumber 1.0 i686fixed in curl-7.57.0-i686-1
Cucumber 1.0 x86_64not affected

Cucumber 1.1 i686 fixed in curl-7.57.0-i686-1
Cucumber 1.1 x86_64 not affected


================================ Initial Report ================================

From Curl Security (

libcurl contains an out boundary access flaw in SSL related code.

When allocating memory for a connection (the internal struct called
connectdata), a certain amount of memory is allocated at the end of the struct
to be used for SSL related structs. Those structs are used by the particular SSL
library libcurl is built to use. The application can also tell libcurl which
specific SSL library to use if it was built to support more than one.

The math used to calculate the extra memory amount necessary for the SSL library
was wrong on 32 bit systems, which made the allocated memory too small by 4
bytes. The last struct member of the last object within the memory area could
then be outside of what was allocated. Accessing that member could lead to a
crash or other undefined behaviors depending on what memory that is present
there and how the particular SSL library decides to act on that memory content.

Specifically the vulnerability is present if libcurl was built so that
sizeof(long long *) < sizeof(long long) which as far as we are aware only
happens in 32-bit builds.

We are not aware of any exploit of this flaw.

This bug was introduced in commit 70f1db321a, July 2017.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2017-8818 to this issue.

================================= Our Analysis =================================

----- Affected Products -----
Curl versions after and including 7.56.0 but prior to 7.57.0 that have not had
this patch ( applied are vulnerable to
this vulnerability. 

This is buffer overrun vulnerability affecting systems where
sizeof(long long *) < sizeof(long long). This means that (in theory), only
32 bit versions of Cucumber Linux that are running a vulnerable version of curl
are affected.

As of Wed Nov 29 09:44:59 EST 2017, the following products are vulnerable to
this and will require patching:
	Cucumber Linux 1.0 i686
	Cucumber Linux 1.1 i686
The following products are not vulnerable; however, it is probably still a good
idea to apply this patch on them:
	Cucumber Linux 1.0 x86_64
	Cucumber Linux 1.1 x86_64

----- Scope and Impact of this Vulnerability -----
As of Wed Nov 29 09:44:59 EST 2017, there have been no reports of any exploit of
this flaw.

----- Fix for this Vulnerability -----
This vulnerability can be fixed by upgrading to curl 7.57.0 or applying the
patch at

================================= Our Solution =================================

We have upgraded to curl 7.57.0 to fix this vulnerability.