CVE-2017-1000099

NameCVE-2017-1000099
DescriptionWhen asking to get a file from a file:// URL, libcurl provides a feature that outputs meta-data about the file using HTTP-like headers. The code doing this would send the wrong buffer to the user (stdout or the application's provide callback), which could lead to other private data from the heap to get inadvertently displayed. The wrong buffer was an uninitialized memory area allocated on the heap and if it turned out to not contain any zero byte, it would continue and display the data following that buffer in memory.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
curl (PTS)buster7.64.0-4+deb10u2fixed
buster (security)7.64.0-4+deb10u6fixed
bullseye (security), bullseye7.74.0-1.3+deb11u7fixed
bookworm, sid7.88.1-10fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
curlsource(unstable)(not affected)

Notes

- curl <not-affected> (Only affects 7.54.1, no affected version ever in the archive)
https://curl.haxx.se/docs/adv_20170809C.html
https://curl.haxx.se/CVE-2017-1000099.patch
Introduced by: https://github.com/curl/curl/commit/7c312f84ea930d8
Search for package or bug name: Reporting problems