Bug 1503705 (CVE-2017-1000257)
Summary: | CVE-2017-1000257 curl: IMAP FETCH response out of bounds read | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Andrej Nemec <anemec> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | bmcclain, bodavis, cfergeau, csutherl, dbhole, dblechte, eedri, erik-fedora, gzaronik, hhorak, java-maint, jclere, john.j5live, jorton, kanderso, kdudka, lgao, lsurette, luhliari, mbabacek, mgoldboi, michal.skrivanek, mike, mturk, myarboro, omajid, paul, rh-spice-bugs, rwagner, security-response-team, sherold, srevivo, twalsh, weli, ykaul |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | curl 7.56.1 | Doc Type: | If docs needed, set a value |
Doc Text: |
A buffer overrun flaw was found in the IMAP handler of libcurl. By tricking an unsuspecting user into connecting to a malicious IMAP server, an attacker could exploit this flaw to potentially cause information disclosure or crash the application.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2019-06-08 03:29:41 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1505232, 1505233, 1505234, 1505284, 1505285, 1505301, 1505302 | ||
Bug Blocks: | 1503707 |
Description
Andrej Nemec
2017-10-18 14:55:49 UTC
Mitigation: Switch off IMAP in `CURLOPT_PROTOCOLS` Acknowledgments: Name: the Curl project Upstream: Brian Carpenter, the OSS-Fuzz project Created curl tracking bugs for this issue: Affects: fedora-all [bug 1505233] Created mingw-curl tracking bugs for this issue: Affects: epel-7 [bug 1505232] Affects: fedora-all [bug 1505234] Upstream commit: https://github.com/curl/curl/commit/13c9a9ded3ae744a1e11cbc14e9146d9fa427040 OSS-Fuzz issue for this problem: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3586 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2017:3263 https://access.redhat.com/errata/RHSA-2017:3263 This issue has been addressed in the following products: Red Hat JBoss Core Services Via RHSA-2018:2486 https://access.redhat.com/errata/RHSA-2018:2486 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Via RHSA-2018:3558 https://access.redhat.com/errata/RHSA-2018:3558 |