CVE-2017-7407

Published: 03 April 2017

The ourWriteOut function in tool_writeout.c in curl 7.53.1 might allow physically proximate attackers to obtain sensitive information from process memory in opportunistic circumstances by reading a workstation screen during use of a --write-out argument ending in a '%' character, which leads to a heap-based buffer over-read.

Priority

Negligible

CVSS 3 base score: 2.4

Status

Package Release Status
curl
Launchpad, Ubuntu, Debian
Upstream
Released (7.54.0,7.52.1-4)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (7.47.0-1ubuntu2.3)
Ubuntu 14.04 ESM (Trusty Tahr)
Released (7.35.0-1ubuntu2.11)
Patches:
Upstream: https://github.com/curl/curl/commit/1890d59905414ab84a35892b2e45833654aa5c13
Upstream: https://github.com/curl/curl/commit/8e65877870c1fac920b65219adec720df810aab9