*** This bug has been split off bug 149322 *** ------- Original comment by Josh Bressers (Security Response Team) on 2005.02.22 09:04 ------- Multiple stack-based buffer overflows in libcURL and cURL 7.12.1, and possibly other versions, allow remote malicious web servers to execute arbitrary code via base64 encoded replies that exceed the intended buffer lengths when decoded, which is not properly handled by (1) the Curl_input_ntlm function in http_ntlm.c during NTLM authentication or (2) the Curl_krb_kauth and krb4_auth functions in krb4.c during Kerberos authentication. http://www.idefense.com/application/poi/display?id=203&type=vulnerabilities http://www.idefense.com/application/poi/display?id=202&type=vulnerabilities
This issue should also affect FC2
Created attachment 111326 [details] Proposed patch.
Josh, I fixed these problems (I changed the lengths of the buffers which are used in Curl_input_ntlm (in http_ntlm.c) and in krb4_auth (in krb4.c)) in previous patch. Do you think is it's possible to use this patch? Ivana Varekova
Created attachment 111334 [details] Correction of previous puzzled and incorrect patch.
Ivana, Don't for get to check the return value of malloc (stolen from the incomplete upstream patch at http://cool.haxx.se/cvs.cgi/curl/lib/http_ntlm.c.diff?r1=1.36&r2=1.37) unsigned char *buffer = (unsigned char *)malloc(strlen(header)); if (buffer == NULL) return CURLNTLM_BAD;
Created attachment 111336 [details] The last patch with checked return values of malloc. Josh, thank you for your notice. Can this be the correct patch of this bug?
Fixed upstream in curl 7.13.1
fc3 version was fixed.
I'm closing this as a duplicate of #152917, which tracks the same problem for other versions as well. *** This bug has been marked as a duplicate of 152917 ***