Bug 149323 - CAN-2005-0490 Multiple stack based buffer overflows in curl
Summary: CAN-2005-0490 Multiple stack based buffer overflows in curl
Keywords:
Status: CLOSED DUPLICATE of bug 152917
Alias: None
Product: Fedora Legacy
Classification: Retired
Component: curl
Version: fc2
Hardware: All
OS: Linux
medium
low
Target Milestone: ---
Assignee: Fedora Legacy Bugs
QA Contact:
URL:
Whiteboard: impact=low,public=20050221,source=bug...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-02-22 14:07 UTC by Josh Bressers
Modified: 2007-04-18 17:20 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-05-16 10:32:00 UTC
Embargoed:


Attachments (Terms of Use)
Proposed patch. (1.79 KB, patch)
2005-02-23 09:24 UTC, Ivana Varekova
no flags Details | Diff
Correction of previous puzzled and incorrect patch. (1.88 KB, patch)
2005-02-23 14:00 UTC, Ivana Varekova
no flags Details | Diff
The last patch with checked return values of malloc. (2.37 KB, patch)
2005-02-23 14:47 UTC, Ivana Varekova
no flags Details | Diff

Description Josh Bressers 2005-02-22 14:07:15 UTC
*** This bug has been split off bug 149322 ***

------- Original comment by Josh Bressers (Security Response Team) on 2005.02.22
09:04 -------

Multiple stack-based buffer overflows in libcURL and cURL 7.12.1, and
possibly other versions, allow remote malicious web servers to execute
arbitrary code via base64 encoded replies that exceed the intended
buffer lengths when decoded, which is not properly handled by (1) the
Curl_input_ntlm function in http_ntlm.c during NTLM authentication or
(2) the Curl_krb_kauth and krb4_auth functions in krb4.c during
Kerberos authentication.

http://www.idefense.com/application/poi/display?id=203&type=vulnerabilities
http://www.idefense.com/application/poi/display?id=202&type=vulnerabilities

Comment 1 Josh Bressers 2005-02-22 14:08:27 UTC
This issue should also affect FC2

Comment 2 Ivana Varekova 2005-02-23 09:24:55 UTC
Created attachment 111326 [details]
Proposed patch.

Comment 3 Ivana Varekova 2005-02-23 09:27:40 UTC
Josh,
I fixed these problems (I changed the lengths of the buffers which are used in
Curl_input_ntlm (in http_ntlm.c) and in krb4_auth (in krb4.c)) in previous patch.
Do you think is it's possible to use this patch?
Ivana Varekova

Comment 4 Ivana Varekova 2005-02-23 14:00:46 UTC
Created attachment 111334 [details]
Correction of previous puzzled and incorrect patch.

Comment 5 Josh Bressers 2005-02-23 14:15:14 UTC
Ivana,

Don't for get to check the return value of malloc (stolen from the incomplete
upstream patch at
http://cool.haxx.se/cvs.cgi/curl/lib/http_ntlm.c.diff?r1=1.36&r2=1.37)


unsigned char *buffer = (unsigned char *)malloc(strlen(header));
if (buffer == NULL)
    return CURLNTLM_BAD;

Comment 6 Ivana Varekova 2005-02-23 14:47:43 UTC
Created attachment 111336 [details]
The last patch with checked return values of malloc. 

Josh,
thank you for your notice.
Can this be the correct patch of this bug?

Comment 7 Daniel Stenberg 2005-03-04 16:17:21 UTC
Fixed upstream in curl 7.13.1

Comment 8 Ivana Varekova 2005-04-21 13:26:23 UTC
fc3 version was fixed.

Comment 9 Pekka Savola 2005-05-16 10:32:00 UTC
I'm closing this as a duplicate of #152917, which tracks the same problem for
other versions as well.

*** This bug has been marked as a duplicate of 152917 ***


Note You need to log in before you can comment on or make changes to this bug.