CVE-2017-1000254

Name of the Vulnerable Software and Affected Versions libcurl versions prior to 7.56.0

Description The issue is related to a flaw in the string parser for directory names when libcurl connects to an FTP server. If the server responds with a 257 response containing the path without a closing double quote, libcurl may not add a trailing null byte to the buffer holding the name. This could lead to libcurl reading beyond the allocated heap buffer and crashing or wrongly accessing data beyond the buffer. A malicious server could exploit this fact, potentially causing a segfault. The issue was introduced in 2005 and remained undiscovered for a long time, suggesting that malformed PWD responses are rare in benign servers. There is no known exploit of this flaw.

Recommendations For libcurl versions prior to 7.56.0, consider updating to version 7.56.0 or later, which always zero terminates the string and rejects it if not terminated properly with a final double quote. As a temporary workaround, consider restricting access to FTP servers that may send malformed PWD responses to minimize the risk of exploitation. Avoid using libcurl to connect to untrusted FTP servers until the issue is resolved.