| Title | libcurl におけるバッファエラーの脆弱性 |
|---|---|
| Summary | libcurl には、バッファエラーの脆弱性が存在します。 |
| Possible impacts | 情報を取得される、およびサービス運用妨害 (DoS) 状態にされる可能性があります。 |
| Solution | ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。 |
| Publication Date | Oct. 23, 2017, midnight |
| Registration Date | Nov. 28, 2017, 6:18 p.m. |
| Last Update | Nov. 28, 2017, 6:18 p.m. |
| CVSS3.0 : 緊急 | |
| Score | 9.1 |
|---|---|
| Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H |
| CVSS2.0 : 警告 | |
| Score | 6.4 |
|---|---|
| Vector | AV:N/AC:L/Au:N/C:P/I:N/A:P |
| Debian |
| Debian GNU/Linux 8.0 |
| Debian GNU/Linux 9.0 |
| Haxx |
| libcurl |
| No | Changed Details | Date of change |
|---|---|---|
| 0 | [2017年11月28日] 掲載 |
Feb. 17, 2018, 10:37 a.m. |
| Summary | An IMAP FETCH response line indicates the size of the returned data, in number of bytes. When that response says the data is zero bytes, libcurl would pass on that (non-existing) data with a pointer and the size (zero) to the deliver-data function. libcurl's deliver-data function treats zero as a magic number and invokes strlen() on the data to figure out the length. The strlen() is called on a heap based buffer that might not be zero terminated so libcurl might read beyond the end of it into whatever memory lies after (or just crash) and then deliver that to the application as if it was actually downloaded. |
|---|---|
| Publication Date | Nov. 1, 2017, 6:29 a.m. |
| Registration Date | Jan. 26, 2021, 1:11 p.m. |
| Last Update | Nov. 21, 2024, 12:04 p.m. |
| Configuration1 | or higher | or less | more than | less than | |
| cpe:2.3:a:haxx:libcurl:*:*:*:*:*:*:*:* | 7.20.0 | 7.56.0 | |||
| Configuration2 | or higher | or less | more than | less than | |
| cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:* | |||||
| cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:* | |||||