CVE-2014-3707
Published: 5 November 2014
The curl_easy_duphandle function in libcurl 7.17.1 through 7.38.0, when running with the CURLOPT_COPYPOSTFIELDS option, does not properly copy HTTP POST data for an easy handle, which triggers an out-of-bounds read that allows remote web servers to read sensitive memory information.
Priority
Status
Package | Release | Status |
---|---|---|
curl Launchpad, Ubuntu, Debian |
lucid |
Released
(7.19.7-1ubuntu1.10)
|
precise |
Released
(7.22.0-3ubuntu4.11)
|
|
trusty |
Released
(7.35.0-1ubuntu2.2)
|
|
upstream |
Released
(7.39.0)
|
|
utopic |
Released
(7.37.1-1ubuntu3.1)
|
|
Patches: upstream: http://curl.haxx.se/CVE-2014-3707.patch upstream: https://github.com/bagder/curl/commit/b3875606925536f82fc61f3114ac42f29eaf6945 upstream: https://github.com/bagder/curl/commit/e8cea8d70fed7ad5e14d8b3e871ebf0ea0bf53b0 upstream: https://github.com/bagder/curl/commit/92e7e346f35b89d89c079403e5aeb16bee0e8836 upstream: https://github.com/bagder/curl/commit/8a2dda312cc916e3ec3d0bc99850d9abe5ae6b92 |