Bug 149323 - CAN-2005-0490 Multiple stack based buffer overflows in curl
CAN-2005-0490 Multiple stack based buffer overflows in curl
Status: CLOSED DUPLICATE of bug 152917
Product: Fedora Legacy
Classification: Retired
Component: curl (Show other bugs)
fc2
All Linux
medium Severity low
: ---
: ---
Assigned To: Fedora Legacy Bugs
impact=low,public=20050221,source=bug...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-02-22 09:07 EST by Josh Bressers
Modified: 2007-04-18 13:20 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-05-16 06:32:00 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Proposed patch. (1.79 KB, patch)
2005-02-23 04:24 EST, Ivana Varekova
no flags Details | Diff
Correction of previous puzzled and incorrect patch. (1.88 KB, patch)
2005-02-23 09:00 EST, Ivana Varekova
no flags Details | Diff
The last patch with checked return values of malloc. (2.37 KB, patch)
2005-02-23 09:47 EST, Ivana Varekova
no flags Details | Diff

  None (edit)
Description Josh Bressers 2005-02-22 09:07:15 EST
*** This bug has been split off bug 149322 ***

------- Original comment by Josh Bressers (Security Response Team) on 2005.02.22
09:04 -------

Multiple stack-based buffer overflows in libcURL and cURL 7.12.1, and
possibly other versions, allow remote malicious web servers to execute
arbitrary code via base64 encoded replies that exceed the intended
buffer lengths when decoded, which is not properly handled by (1) the
Curl_input_ntlm function in http_ntlm.c during NTLM authentication or
(2) the Curl_krb_kauth and krb4_auth functions in krb4.c during
Kerberos authentication.

http://www.idefense.com/application/poi/display?id=203&type=vulnerabilities
http://www.idefense.com/application/poi/display?id=202&type=vulnerabilities
Comment 1 Josh Bressers 2005-02-22 09:08:27 EST
This issue should also affect FC2
Comment 2 Ivana Varekova 2005-02-23 04:24:55 EST
Created attachment 111326 [details]
Proposed patch.
Comment 3 Ivana Varekova 2005-02-23 04:27:40 EST
Josh,
I fixed these problems (I changed the lengths of the buffers which are used in
Curl_input_ntlm (in http_ntlm.c) and in krb4_auth (in krb4.c)) in previous patch.
Do you think is it's possible to use this patch?
Ivana Varekova
Comment 4 Ivana Varekova 2005-02-23 09:00:46 EST
Created attachment 111334 [details]
Correction of previous puzzled and incorrect patch.
Comment 5 Josh Bressers 2005-02-23 09:15:14 EST
Ivana,

Don't for get to check the return value of malloc (stolen from the incomplete
upstream patch at
http://cool.haxx.se/cvs.cgi/curl/lib/http_ntlm.c.diff?r1=1.36&r2=1.37)


unsigned char *buffer = (unsigned char *)malloc(strlen(header));
if (buffer == NULL)
    return CURLNTLM_BAD;
Comment 6 Ivana Varekova 2005-02-23 09:47:43 EST
Created attachment 111336 [details]
The last patch with checked return values of malloc. 

Josh,
thank you for your notice.
Can this be the correct patch of this bug?
Comment 7 Daniel Stenberg 2005-03-04 11:17:21 EST
Fixed upstream in curl 7.13.1
Comment 8 Ivana Varekova 2005-04-21 09:26:23 EDT
fc3 version was fixed.
Comment 9 Pekka Savola 2005-05-16 06:32:00 EDT
I'm closing this as a duplicate of #152917, which tracks the same problem for
other versions as well.

*** This bug has been marked as a duplicate of 152917 ***

Note You need to log in before you can comment on or make changes to this bug.