Package: curl
Version: 7.14.1-5
Severity: grave
Tags: security
Justification: user security hole
Another buffer overflow has been found in curl's NTLM authentication
code. (This one is different from CAN-2005-0490 and doesn't seem to
have a CVE assignment yet). Please see
http://www.mail-archive.com/wget%40sunsite.dk/msg08294.html
for more information. The vulnerable code is almost identical
to wget. For your reference I've attached the extracted fix from
the latest wget release. The actual fix applies to curl's
Curl_output_ntlm() function as well, but needs to be adapted to
the appropriate CURLcode definition for an error situation like
this instead of returning NULL.
Cheers,
Moritz
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.14-rc1
Locale: LANG=C, [EMAIL PROTECTED] (charmap=ISO-8859-15)
Versions of packages curl depends on:
ii libc6 2.3.5-6 GNU C Library: Shared libraries an
ii libcomerr2 1.38-2 common error description library
ii libcurl3 7.14.1-5 Multi-protocol file transfer libra
ii libidn11 0.5.18-1 GNU libidn library, implementation
ii libkrb53 1.3.6-5 MIT Kerberos runtime libraries
ii libssl0.9.8 0.9.8-2 SSL shared libraries
ii zlib1g 1:1.2.3-4 compression library - runtime
curl recommends no packages.
-- no debconf information
diff -Naur wget-1.10.1/src/http-ntlm.c wget-1.10.2/src/http-ntlm.c
--- wget-1.10.1/src/http-ntlm.c 2005-05-10 23:16:53.000000000 +0200
+++ wget-1.10.2/src/http-ntlm.c 2005-10-13 10:52:21.000000000 +0200
@@ -526,6 +526,11 @@
size=64;
ntlmbuf[62]=ntlmbuf[63]=0;
+ /* Make sure that the user and domain strings fit in the target buffer
+ before we copy them there. */
+ if(size + userlen + domlen >= sizeof(ntlmbuf))
+ return NULL;
+
memcpy(&ntlmbuf[size], domain, domlen);
size += domlen;
