Moritz Muehlenhoff
Thu, 13 Oct 2005 06:18:03 -0700
Package: curl Version: 7.14.1-5 Severity: grave Tags: security Justification: user security hole
Another buffer overflow has been found in curl's NTLM authentication code. (This one is different from CAN-2005-0490 and doesn't seem to have a CVE assignment yet). Please see http://www.mail-archive.com/wget%40sunsite.dk/msg08294.html for more information. The vulnerable code is almost identical to wget. For your reference I've attached the extracted fix from the latest wget release. The actual fix applies to curl's Curl_output_ntlm() function as well, but needs to be adapted to the appropriate CURLcode definition for an error situation like this instead of returning NULL. Cheers, Moritz -- System Information: Debian Release: testing/unstable APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.14-rc1 Locale: LANG=C, [EMAIL PROTECTED] (charmap=ISO-8859-15) Versions of packages curl depends on: ii libc6 2.3.5-6 GNU C Library: Shared libraries an ii libcomerr2 1.38-2 common error description library ii libcurl3 7.14.1-5 Multi-protocol file transfer libra ii libidn11 0.5.18-1 GNU libidn library, implementation ii libkrb53 1.3.6-5 MIT Kerberos runtime libraries ii libssl0.9.8 0.9.8-2 SSL shared libraries ii zlib1g 1:1.2.3-4 compression library - runtime curl recommends no packages. -- no debconf information
diff -Naur wget-1.10.1/src/http-ntlm.c wget-1.10.2/src/http-ntlm.c
--- wget-1.10.1/src/http-ntlm.c 2005-05-10 23:16:53.000000000 +0200
+++ wget-1.10.2/src/http-ntlm.c 2005-10-13 10:52:21.000000000 +0200
@@ -526,6 +526,11 @@
size=64;
ntlmbuf[62]=ntlmbuf[63]=0;
+ /* Make sure that the user and domain strings fit in the target buffer
+ before we copy them there. */
+ if(size + userlen + domlen >= sizeof(ntlmbuf))
+ return NULL;
+
memcpy(&ntlmbuf[size], domain, domlen);
size += domlen;