Bug 1439190 (CVE-2017-7407)

Summary: CVE-2017-7407 curl: --write-out out of bounds read
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: bmcclain, bodavis, cfergeau, csutherl, dbhole, dblechte, eedri, erik-fedora, gzaronik, hhorak, jclere, jorton, kanderso, kdudka, lgao, lsurette, luhliari, mbabacek, mgoldboi, michal.skrivanek, mike, myarboro, omajid, paul, rbalakri, rh-spice-bugs, rwagner, srevivo, twalsh, weli, ykaul, ylavi
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: curl 7.54.0 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-07-17 13:27:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1439191, 1439192, 1439193    
Bug Blocks: 1856590    

Description Andrej Nemec 2017-04-05 12:11:37 UTC 
The ourWriteOut function in tool_writeout.c in curl might allow physically proximate attackers to obtain sensitive information from process memory in opportunistic circumstances by reading a workstation screen during use of a --write-out argument ending in a '%' character, which leads to a heap-based buffer over-read.

External References:

https://curl.haxx.se/docs/adv_20170403.html

Upstream patches:

https://github.com/curl/curl/commit/1890d59905414ab84a
https://github.com/curl/curl/commit/8e65877870c1
Comment 1 Andrej Nemec 2017-04-05 12:14:49 UTC 
Created curl tracking bugs for this issue:

Affects: fedora-all [bug 1439191]


Created mingw-curl tracking bugs for this issue:

Affects: epel-7 [bug 1439193]
Affects: fedora-all [bug 1439192]
Comment 2 errata-xmlrpc 2018-11-13 08:34:10 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS

Via RHSA-2018:3558 https://access.redhat.com/errata/RHSA-2018:3558
Comment 4 Mauro Matteo Cascella 2020-07-17 09:32:50 UTC 
Statement:

This flaw did not affect Red Hat Enterprise Linux 8 and Red Hat Software Collections 3, as they already included the fixed version of the `curl` package.
Comment 5 Product Security DevOps Team 2020-07-17 13:27:42 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2017-7407