When doing an TFTP upload and curl/libcurl is given a URL that contains a very long file name (longer than about 515 bytes), the file name is truncated to fit within the buffer boundaries, but the buffer size is still wrongly updated to use the untruncated length. This too large value is then used in the `send()` call, making curl attempt to send more data than what is actually put into the buffer. The `send()` function will then read beyond the end of the heap based buffer. Affected versions: libcurl 7.15.0 to and including 7.54.1
Acknowledgments: Name: the Curl project Upstream: Even Rouault
Created attachment 1308973 [details] Upstream patch
Statement: Red Hat Product Security has rated this issue as having Low security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
External References: https://curl.haxx.se/docs/adv_20170809B.html
Created curl tracking bugs for this issue: Affects: fedora-all [bug 1479670] Created mingw-curl tracking bugs for this issue: Affects: epel-7 [bug 1479668] Affects: fedora-all [bug 1479669]
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Via RHSA-2018:3558 https://access.redhat.com/errata/RHSA-2018:3558