Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   


Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker

Category:   Application (Generic)  >   cURL Vendors:
cURL URL Globbing Flaw Lets Local Users View Portions of System Memory on the Target System
SecurityTracker Alert ID:  1039117
SecurityTracker URL:
CVE Reference:   CVE-2017-1000101   (Links to External Site)
Date:  Aug 10 2017
Impact:   Disclosure of system information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 7.34.0 - 7.54.1
Description:   A vulnerability was reported in cURL. A local user can obtain potentially sensitive information from system memory.

A local user can supply a URL containing specially crafted numerical range characters to trigger a heap read error and obtain potentially sensitive information from system memory on the target system.

A demonstration exploit URL is provided:


The command line tool is affected.

The libcurl library is not affected.

Brian Carpenter and Yongji Ouyang independently reported this vulnerability.

Impact:   A local user can obtain potentially sensitive information from system memory on the target system.
Solution:   The vendor has issued a fix (7.55.0).

The vendor advisory is available at:

Vendor URL: (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.

 Source Message Contents

Subject:  [oss-security] [SECURITY ADVISORY] curl: URL globbing out of bounds read

URL globbing out of bounds read

Project curl Security Advisory, August 9th 2017 -


curl supports "globbing" of URLs, in which a user can pass a numerical range
to have the tool iterate over those numbers to do a sequence of transfers.

In the globbing function that parses the numerical range, there was an
omission that made curl read a byte beyond the end of the URL if given a
carefully crafted, or just wrongly written, URL. The URL is stored in a heap
based buffer, so it could then be made to wrongly read something else instead
of crashing.

An example of a URL that triggers the flaw would be

We are not aware of any exploit of this flaw.


This flaw only affects the curl command line tool, not the libcurl
library. The bug was introduced in commit
[5ca96cb84410270](, August
2013. curl 7.34.0.

For version 7.55.0, the parser properly stops at the end of the string and a
test has been added to verify this.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2017-1000101 to this issue.


- Affected versions: curl 7.34.0 to and including 7.54.1
- Not affected versions: curl < 7.34.0 and >= 7.55.1

curl is used by many applications, but not always advertised as such.


A [patch for CVE-2017-1000101]( is


We suggest you take one of the following actions immediately, in order of

  A - Upgrade curl to version 7.55.0

  B - Apply the patch to your version and rebuild


It was reported to the curl project on June 14, 2017.  We contacted
distros@openwall on August 1.

curl 7.55.0 was released on August 9 2017, coordinated with the publication of
this advisory.


Reported by Brian Carpenter and Yongji Ouyang (independently of each
other). Patch by Daniel Stenberg.

Thanks a lot!



Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

Copyright 2017, LLC