VulnerableCode Package Details - pkg:alpm/archlinux/lib32-curl@7.56.0-1

Search for packages

Vulnerability	Summary	Fixed by
VCID-4t2f-bfv9-aaan Aliases: CVE-2017-1000257	An IMAP FETCH response line indicates the size of the returned data, in number of bytes. When that response says the data is zero bytes, libcurl would pass on that (non-existing) data with a pointer and the size (zero) to the deliver-data function. libcurl's deliver-data function treats zero as a magic number and invokes strlen() on the data to figure out the length. The strlen() is called on a heap based buffer that might not be zero terminated so libcurl might read beyond the end of it into whatever memory lies after (or just crash) and then deliver that to the application as if it was actually downloaded.	7.56.1-1 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-4t2f-bfv9-aaan
Aliases:
CVE-2017-1000257

An IMAP FETCH response line indicates the size of the returned data, in number of bytes. When that response says the data is zero bytes, libcurl would pass on that (non-existing) data with a pointer and the size (zero) to the deliver-data function. libcurl's deliver-data function treats zero as a magic number and invokes strlen() on the data to figure out the length. The strlen() is called on a heap based buffer that might not be zero terminated so libcurl might read beyond the end of it into whatever memory lies after (or just crash) and then deliver that to the application as if it was actually downloaded.

7.56.1-1
Affected by 3 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-4fah-w821-aaap	When doing a TFTP transfer and curl/libcurl is given a URL that contains a very long file name (longer than about 515 bytes), the file name is truncated to fit within the buffer boundaries, but the buffer size is still wrongly updated to use the untruncated length. This too large value is then used in the sendto() call, making curl attempt to send more data than what is actually put into the buffer. The endto() function will then read beyond the end of the heap based buffer. A malicious HTTP(S) server could redirect a vulnerable libcurl-using client to a crafted TFTP URL (if the client hasn't restricted which protocols it allows redirects to) and trick it to send private memory contents to a remote server over UDP. Limit curl's redirect protocols with --proto-redir and libcurl's with CURLOPT_REDIR_PROTOCOLS.	CVE-2017-1000100
VCID-daac-sxbr-aaas	libcurl may read outside of a heap allocated buffer when doing FTP. When libcurl connects to an FTP server and successfully logs in (anonymous or not), it asks the server for the current directory with the `PWD` command. The server then responds with a 257 response containing the path, inside double quotes. The returned path name is then kept by libcurl for subsequent uses. Due to a flaw in the string parser for this directory name, a directory name passed like this but without a closing double quote would lead to libcurl not adding a trailing NUL byte to the buffer holding the name. When libcurl would then later access the string, it could read beyond the allocated heap buffer and crash or wrongly access data beyond the buffer, thinking it was part of the path. A malicious server could abuse this fact and effectively prevent libcurl-based clients to work with it - the PWD command is always issued on new FTP connections and the mistake has a high chance of causing a segfault. The simple fact that this has issue remained undiscovered for this long could suggest that malformed PWD responses are rare in benign servers. We are not aware of any exploit of this flaw. This bug was introduced in commit [415d2e7cb7](https://github.com/curl/curl/commit/415d2e7cb7), March 2005. In libcurl version 7.56.0, the parser always zero terminates the string but also rejects it if not terminated properly with a final double quote.	CVE-2017-1000254
VCID-rgn4-k12p-aaae	When asking to get a file from a file:// URL, libcurl provides a feature that outputs meta-data about the file using HTTP-like headers. The code doing this would send the wrong buffer to the user (stdout or the application's provide callback), which could lead to other private data from the heap to get inadvertently displayed. The wrong buffer was an uninitialized memory area allocated on the heap and if it turned out to not contain any zero byte, it would continue and display the data following that buffer in memory.	CVE-2017-1000099

Vulnerability

Summary

Aliases

VCID-4fah-w821-aaap

When doing a TFTP transfer and curl/libcurl is given a URL that contains a very long file name (longer than about 515 bytes), the file name is truncated to fit within the buffer boundaries, but the buffer size is still wrongly updated to use the untruncated length. This too large value is then used in the sendto() call, making curl attempt to send more data than what is actually put into the buffer. The endto() function will then read beyond the end of the heap based buffer. A malicious HTTP(S) server could redirect a vulnerable libcurl-using client to a crafted TFTP URL (if the client hasn't restricted which protocols it allows redirects to) and trick it to send private memory contents to a remote server over UDP. Limit curl's redirect protocols with --proto-redir and libcurl's with CURLOPT_REDIR_PROTOCOLS.

CVE-2017-1000100

VCID-daac-sxbr-aaas

libcurl may read outside of a heap allocated buffer when doing FTP. When libcurl connects to an FTP server and successfully logs in (anonymous or not), it asks the server for the current directory with the `PWD` command. The server then responds with a 257 response containing the path, inside double quotes. The returned path name is then kept by libcurl for subsequent uses. Due to a flaw in the string parser for this directory name, a directory name passed like this but without a closing double quote would lead to libcurl not adding a trailing NUL byte to the buffer holding the name. When libcurl would then later access the string, it could read beyond the allocated heap buffer and crash or wrongly access data beyond the buffer, thinking it was part of the path. A malicious server could abuse this fact and effectively prevent libcurl-based clients to work with it - the PWD command is always issued on new FTP connections and the mistake has a high chance of causing a segfault. The simple fact that this has issue remained undiscovered for this long could suggest that malformed PWD responses are rare in benign servers. We are not aware of any exploit of this flaw. This bug was introduced in commit [415d2e7cb7](https://github.com/curl/curl/commit/415d2e7cb7), March 2005. In libcurl version 7.56.0, the parser always zero terminates the string but also rejects it if not terminated properly with a final double quote.

CVE-2017-1000254

VCID-rgn4-k12p-aaae

When asking to get a file from a file:// URL, libcurl provides a feature that outputs meta-data about the file using HTTP-like headers. The code doing this would send the wrong buffer to the user (stdout or the application's provide callback), which could lead to other private data from the heap to get inadvertently displayed. The wrong buffer was an uninitialized memory area allocated on the heap and if it turned out to not contain any zero byte, it would continue and display the data following that buffer in memory.

CVE-2017-1000099

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-03-28T07:46:58.130073+00:00	Arch Linux Importer	Fixing	VCID-rgn4-k12p-aaae	https://security.archlinux.org/AVG-371	36.0.0
2025-03-28T07:46:58.109732+00:00	Arch Linux Importer	Fixing	VCID-4fah-w821-aaap	https://security.archlinux.org/AVG-371	36.0.0
2025-03-28T07:46:58.089168+00:00	Arch Linux Importer	Fixing	VCID-daac-sxbr-aaas	https://security.archlinux.org/AVG-371	36.0.0
2025-03-28T07:46:56.941898+00:00	Arch Linux Importer	Affected by	VCID-4t2f-bfv9-aaan	https://security.archlinux.org/AVG-466	36.0.0
2024-12-11T10:54:44.289227+00:00	Arch Linux Importer	Fixing	VCID-rgn4-k12p-aaae	https://security.archlinux.org/AVG-371	35.0.0
2024-12-11T10:54:43.904892+00:00	Arch Linux Importer	Fixing	VCID-4fah-w821-aaap	https://security.archlinux.org/AVG-371	35.0.0
2024-12-11T10:54:43.537933+00:00	Arch Linux Importer	Fixing	VCID-daac-sxbr-aaas	https://security.archlinux.org/AVG-371	35.0.0
2024-12-11T10:54:40.161110+00:00	Arch Linux Importer	Affected by	VCID-4t2f-bfv9-aaan	https://security.archlinux.org/AVG-466	35.0.0
2024-09-18T02:02:19.640904+00:00	Arch Linux Importer	Fixing	VCID-rgn4-k12p-aaae	https://security.archlinux.org/AVG-371	34.0.1
2024-09-18T02:02:19.613253+00:00	Arch Linux Importer	Fixing	VCID-4fah-w821-aaap	https://security.archlinux.org/AVG-371	34.0.1
2024-09-18T02:02:19.585289+00:00	Arch Linux Importer	Fixing	VCID-daac-sxbr-aaas	https://security.archlinux.org/AVG-371	34.0.1
2024-09-18T02:02:18.295912+00:00	Arch Linux Importer	Affected by	VCID-4t2f-bfv9-aaan	https://security.archlinux.org/AVG-466	34.0.1
2024-01-31T12:10:01.053666+00:00	Arch Linux Importer	Fixing	VCID-rgn4-k12p-aaae	https://security.archlinux.org/AVG-371	34.0.0rc2
2024-01-31T12:10:01.031884+00:00	Arch Linux Importer	Fixing	VCID-4fah-w821-aaap	https://security.archlinux.org/AVG-371	34.0.0rc2
2024-01-31T12:10:01.010016+00:00	Arch Linux Importer	Fixing	VCID-daac-sxbr-aaas	https://security.archlinux.org/AVG-371	34.0.0rc2
2024-01-31T12:10:00.628618+00:00	Arch Linux Importer	Affected by	VCID-4t2f-bfv9-aaan	https://security.archlinux.org/AVG-466	34.0.0rc2
2024-01-03T22:28:21.420003+00:00	Arch Linux Importer	Fixing	VCID-rgn4-k12p-aaae	https://security.archlinux.org/AVG-371	34.0.0rc1
2024-01-03T22:28:21.397517+00:00	Arch Linux Importer	Fixing	VCID-4fah-w821-aaap	https://security.archlinux.org/AVG-371	34.0.0rc1
2024-01-03T22:28:21.375170+00:00	Arch Linux Importer	Fixing	VCID-daac-sxbr-aaas	https://security.archlinux.org/AVG-371	34.0.0rc1
2024-01-03T22:28:20.113431+00:00	Arch Linux Importer	Affected by	VCID-4t2f-bfv9-aaan	https://security.archlinux.org/AVG-466	34.0.0rc1

2025-03-28T07:46:58.130073+00:00

Arch Linux Importer

Fixing

Next non-vulnerable version	7.58.0-1
Latest non-vulnerable version	8.4.0-1
Risk	4.5