CVE-2017-1000257
moderate-risk
Published 2017-10-31
An IMAP FETCH response line indicates the size of the returned data, in number of bytes. When that response says the data is zero bytes, libcurl would pass on that (non-existing) data with a pointer and the size (zero) to the deliver-data function. libcurl's deliver-data function treats zero as a magic number and invokes strlen() on the data to figure out the length. The strlen() is called on a heap based buffer that might not be zero terminated so libcurl might read beyond the end of it into whatever memory lies after (or just crash) and then deliver that to the application as if it was actually downloaded.
Do I need to act?
~
1.0% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.1/10
Critical
NETWORK
/ LOW complexity
Affected Products (3)
References (16)
Third Party Advisory
http://www.debian.org/security/2017/dsa-4007
Third Party Advisory
http://www.securityfocus.com/bid/101519
Third Party Advisory
http://www.securitytracker.com/id/1039644
Vendor Advisory
https://curl.haxx.se/docs/adv_20171023.html
Third Party Advisory
http://www.debian.org/security/2017/dsa-4007
Third Party Advisory
http://www.securityfocus.com/bid/101519
Third Party Advisory
http://www.securitytracker.com/id/1039644
Vendor Advisory
https://curl.haxx.se/docs/adv_20171023.html
43
/ 100
moderate-risk
Severity
31/34 · Critical
Exploitability
3/34 · Minimal
Exposure
9/34 · Low