[arch-security] [Arch Linux Security Advisory ASA-201411-7] curl: out-of-bounds read
anthraxx at archlinux.org
Tue Nov 11 20:12:01 UTC 2014
Arch Linux Security Advisory ASA-201411-7
Date : 2014-11-11
CVE-ID : CVE-2014-3707
Package : curl
Type : out-of-bounds read
Remote : No
Link : https://wiki.archlinux.org/index.php/CVE-2014
The package curl before version 7.39.0-1 is vulnerable to out-of-bounds
read which may lead to information disclosure.
Upgrade to 7.39.0-1.
# pacman -Syu "curl>=7.39.0-1"
The problem has been fixed upstream  in version 7.39.0.
Symeon Paraschoudis discovered that the curl_easy_duphandle() function
has a bug that can lead to libcurl eventually sending off sensitive data
that was not intended for sending.
This bug requires CURLOPT_COPYPOSTFIELDS and curl_easy_duphandle() to be
used in that order, and then the duplicate handle must be used to
perform the HTTP POST. The curl command line tool is not affected by
this problem as it does not use this sequence.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 819 bytes
Desc: OpenPGP digital signature
More information about the arch-security