Bug 1051644 (CVE-2017-1000100)

Summary: VUL-0: CVE-2017-1000100: curl: TFTP sends more than buffer size
Product: [Novell Products] SUSE Security Incidents Reporter: Alexander Bergmann <abergmann>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: abergmann, astieger, meissner
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/189403/
Whiteboard: CVSSv3:RedHat:CVE-2017-1000100:4.8:(AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L) CVSSv2:SUSE:CVE-2017-1000100:1.5:(AV:L/AC:M/Au:S/C:P/I:N/A:N) CVSSv3:SUSE:CVE-2017-1000100:3.3:(AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) maint:released:sle10-sp3:63814 CVSSv2:NVD:CVE-2017-1000100:4.3:(AV:N/AC:M/Au:N/C:P/I:N/A:N)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Comment 7 Swamp Workflow Management 2017-08-07 15:20:50 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2017-08-21.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63813
Comment 8 Marcus Meissner 2017-08-09 06:48:55 UTC
TFTP sends more than buffer size
================================

Project curl Security Advisory, August 9th 2017 -
[Permalink](https://curl.haxx.se/docs/adv_20170809B.html)

VULNERABILITY
-------------

When doing a TFTP transfer and curl/libcurl is given a URL that contains a
very long file name (longer than about 515 bytes), the file name is truncated
to fit within the buffer boundaries, but the buffer size is still wrongly
updated to use the untruncated length. This too large value is then used in
the `sendto()` call, making curl attempt to send more data than what is
actually put into the buffer. The `sendto()` function will then read beyond
the end of the heap based buffer.

A malicious HTTP(S) server could redirect a vulnerable libcurl-using client to
a crafted TFTP URL (if the client hasn't restricted which protocols it allows
redirects to) and trick it to send private memory contents to a remote server
over UDP. Limit curl's redirect protocols with `--proto-redir` and libcurl's
with `CURLOPT_REDIR_PROTOCOLS`.

We are not aware of any exploit of this flaw.

INFO
----

This flaw also affects the curl command line tool.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2017-1000100 to this issue.

AFFECTED VERSIONS
-----------------

This bug has been present in curl since TFTP support was added, in September
2005 (commit [56d9624b566](https://github.com/curl/curl/commit/56d9624b566)).

- Affected versions: libcurl 7.15.0 to and including 7.54.1
- Not affected versions: libcurl < 7.15.0 and >= 7.55.0

libcurl is used by many applications, but not always advertised as such.

THE SOLUTION
------------

The function now returns error if attempting to send a file name that is too
long to fit in the TFTP packet.

A [patch for CVE-2017-1000100](https://curl.haxx.se/CVE-2017-1000100.patch) is
available.

RECOMMENDATIONS
---------------

We suggest you take one of the following actions immediately, in order of
preference:

  A - Upgrade curl and libcurl to version 7.55.0

  B - Apply the patch to your version and rebuild

  C - Disable TFTP or otherwise restrict TFTP transfers

TIME LINE
---------

It was reported to the curl project on July 11, 2017. We contacted
distros@openwall on August 1.

libcurl 7.55.0 was released on August 9 2017, coordinated with the publication
of this advisory.

CREDITS
-------

Reported by Even Rouault. Discovery: credit to OSS-Fuzz. Patch by Daniel
Stenberg.

Thanks a lot!

-- 

  / daniel.haxx.se
Comment 9 Pedro Monreal Gonzalez 2017-08-10 14:49:56 UTC
Update to version 7.55.0 in Factory, see sr#515937.
Comment 10 Swamp Workflow Management 2017-08-16 13:08:09 UTC
SUSE-SU-2017:2174-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1051643,1051644
CVE References: CVE-2017-1000100,CVE-2017-1000101
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    curl-7.37.0-37.3.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    curl-7.37.0-37.3.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    curl-7.37.0-37.3.1
SUSE Linux Enterprise Server 12-SP3 (src):    curl-7.37.0-37.3.1
SUSE Linux Enterprise Server 12-SP2 (src):    curl-7.37.0-37.3.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    curl-7.37.0-37.3.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    curl-7.37.0-37.3.1
SUSE Container as a Service Platform ALL (src):    curl-7.37.0-37.3.1
OpenStack Cloud Magnum Orchestration 7 (src):    curl-7.37.0-37.3.1
Comment 12 Swamp Workflow Management 2017-08-18 01:07:17 UTC
openSUSE-SU-2017:2205-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1051643,1051644
CVE References: CVE-2017-1000100,CVE-2017-1000101
Sources used:
openSUSE Leap 42.3 (src):    curl-7.37.0-20.1
openSUSE Leap 42.2 (src):    curl-7.37.0-16.6.1
Comment 13 Swamp Workflow Management 2017-08-31 16:08:51 UTC
SUSE-SU-2017:2312-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1015332,1032309,1051644
CVE References: CVE-2016-9586,CVE-2017-1000100,CVE-2017-7407
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    curl-7.19.7-1.70.3.1
SUSE Linux Enterprise Server 11-SP4 (src):    curl-7.19.7-1.70.3.1
SUSE Linux Enterprise Server 11-SECURITY (src):    curl-openssl1-7.19.7-1.70.3.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    curl-7.19.7-1.70.3.1
Comment 14 Swamp Workflow Management 2017-09-05 19:07:18 UTC
SUSE-SU-2017:2354-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1051644
CVE References: CVE-2017-1000100
Sources used:
SUSE Studio Onsite 1.3 (src):    curl-7.19.7-1.20.53.3.1
Comment 15 Swamp Workflow Management 2017-09-14 19:22:52 UTC
SUSE-SU-2017:2470-1: An update that solves 18 vulnerabilities and has 46 fixes is now available.

Category: security (important)
Bug References: 1004995,1009745,1014471,1017420,1019637,1026825,1027079,1027688,1027908,1028281,1028723,1029523,1031756,1032706,1033236,1035062,1036659,1038132,1038444,1038984,1042392,1043218,1043333,1044095,1044107,1044175,1044840,1045384,1045735,1045987,1046268,1046417,1046659,1046853,1046858,1047008,1047236,1047240,1047310,1047379,1047785,1047964,1047965,1048315,1048483,1048605,1048679,1048715,1049344,1050396,1050484,1051626,1051643,1051644,1052030,1052759,1053409,874665,902364,938657,944903,954661,960820,963041
CVE References: CVE-2013-7459,CVE-2016-9063,CVE-2017-1000100,CVE-2017-1000101,CVE-2017-10684,CVE-2017-10685,CVE-2017-11112,CVE-2017-11113,CVE-2017-3308,CVE-2017-3309,CVE-2017-3453,CVE-2017-3456,CVE-2017-3464,CVE-2017-7435,CVE-2017-7436,CVE-2017-8872,CVE-2017-9233,CVE-2017-9269
Sources used:
SUSE Container as a Service Platform ALL (src):    caasp-container-manifests-0.0.0+git_r155_93e40ab-2.3.3, container-feeder-0.0.0+20170901.git_r55_17ecbd3-2.3.3, sles12-mariadb-docker-image-1.1.0-2.3.10, sles12-pause-docker-image-1.1.0-2.3.11, sles12-pv-recycler-node-docker-image-1.1.0-2.3.10, sles12-salt-api-docker-image-1.1.0-2.3.9, sles12-salt-master-docker-image-1.1.0-4.3.10, sles12-salt-minion-docker-image-1.1.0-2.3.8, sles12-velum-docker-image-1.1.0-4.3.9
Comment 16 Marcus Meissner 2017-10-17 11:06:06 UTC
all relevant ones are out.