CVE-2017-7407

Publication date 3 April 2017

Last updated 24 July 2024

Ubuntu priority

Negligible

Why this priority?

Cvss 3 Severity Score

2.4 · Low

Score breakdown

The ourWriteOut function in tool_writeout.c in curl 7.53.1 might allow physically proximate attackers to obtain sensitive information from process memory in opportunistic circumstances by reading a workstation screen during use of a --write-out argument ending in a '%' character, which leads to a heap-based buffer over-read.

Read the notes from the security team

Status

Package Ubuntu Release Status
curl 17.10 artful
Not affected
17.04 zesty
Fixed 7.52.1-4ubuntu1.2
16.10 yakkety Ignored end of life
16.04 LTS xenial
Fixed 7.47.0-1ubuntu2.3
14.04 LTS trusty
Fixed 7.35.0-1ubuntu2.11
12.04 LTS precise Ignored end of life

Notes

tyhicks

Affected code is in src/writeout.c in older releases

mdeslaur

first commit is in 7.52.1-4, second one isn't

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package Patch details
curl

Severity score breakdown

Parameter Value
Base score 2.4 · Low
Attack vector Physical
Attack complexity Low
Privileges required None
User interaction None
Scope Unchanged
Confidentiality Low
Integrity impact None
Availability impact None
Vector CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References

Related Ubuntu Security Notices (USN)

Other references