1
PublicDateAtUSN: 2017-04-03
2
Candidate: CVE-2017-7407
5
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7407
6
https://curl.haxx.se/docs/adv_20170403.html
7
https://usn.ubuntu.com/usn/usn-3441-1
8
https://usn.ubuntu.com/usn/usn-3441-2
10
The ourWriteOut function in tool_writeout.c in curl 7.53.1 might allow
11
physically proximate attackers to obtain sensitive information from process
12
memory in opportunistic circumstances by reading a workstation screen
13
during use of a --write-out argument ending in a '%' character, which leads
14
to a heap-based buffer over-read.
17
tyhicks> Affected code is in src/writeout.c in older releases
18
mdeslaur> first commit is in 7.52.1-4, second one isn't
20
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=859500
22
Discovered-by: Brian Carpenter
26
upstream: https://github.com/curl/curl/commit/1890d59905414ab84a35892b2e45833654aa5c13
27
upstream: https://github.com/curl/curl/commit/8e65877870c1fac920b65219adec720df810aab9
28
upstream_curl: released (7.54.0,7.52.1-4)
29
precise_curl: ignored (reached end-of-life)
30
precise/esm_curl: released (7.22.0-3ubuntu4.18)
31
trusty_curl: released (7.35.0-1ubuntu2.11)
32
vivid/stable-phone-overlay_curl: ignored (reached end-of-life)
33
vivid/ubuntu-core_curl: ignored (reached end-of-life)
34
xenial_curl: released (7.47.0-1ubuntu2.3)
35
yakkety_curl: ignored (reached end-of-life)
36
zesty_curl: released (7.52.1-4ubuntu1.2)
37
artful_curl: not-affected (7.55.1-1ubuntu1)
38
devel_curl: not-affected (7.55.1-1ubuntu1)