Bug 1461321 (CVE-2017-9502)

Summary: CVE-2017-9502 curl: URL file scheme drive letter buffer overflow
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bmcclain, cfergeau, csutherl, dblechte, eedri, erik-fedora, gzaronik, jclere, kdudka, lgao, lsurette, mbabacek, mgoldboi, michal.skrivanek, mike, myarboro, omajid, paul, rbalakri, rh-spice-bugs, sherold, srevivo, twalsh, weli, ykaul, ylavi
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: curl 7.54.1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-06-14 08:28:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Adam Mariš 2017-06-14 08:27:18 UTC 
When libcurl is given either

    a file: URL that doesn't use two slashes following the colon, or
    is told that file is the default scheme to use for URLs without scheme

... and the given path starts with a drive letter and libcurl is built for Windows or DOS, then libcurl would copy the path with a wrong offset, so that the end of the given path would write beyond the malloc buffer. Up to seven bytes too much.

Affected versions: libcurl 7.53.0 to and including 7.54.0

External References:

https://curl.haxx.se/docs/adv_20170614.html
Comment 1 Paul Howarth 2017-06-14 08:32:57 UTC 
NOTABUG because it only affects Windows/DOS builds (including Cygwin).
Comment 2 Michael Cronenworth 2017-06-14 13:11:01 UTC 
I would assume MinGW is affected. I'll push a Fedora update soon.
Comment 3 Adam Mariš 2017-06-15 08:00:52 UTC 
(In reply to Michael Cronenworth from comment #2)
> I would assume MinGW is affected. I'll push a Fedora update soon.

I see mingw-curl 7.47.0 in Fedora 24 (can't find build for 25), which should not be vulnerable according to upstream advisory. Fedora 26 currently has 7.53.1 which is vulnerable.
Comment 4 Michael Cronenworth 2017-06-15 17:00:31 UTC 
Updates pushed. Thanks.