On mer, feb 06, 2013 at 11:24:36 +0100, Daniel Stenberg wrote: > 4. RECOMMENDATIONS > > We suggest you take one of the following actions immediately, in order of > preference: > > A - Upgrade to curl and libcurl 7.29.0 > > B - Apply this patch and rebuild libcurl > > http://curl.haxx.se/curl-sasl.patch
I'm working on adapting the above patch for curl 7.26.0 which is the version
currently in Debian Wheezy (being it in freeze, it's not possible to update to
7.29.0).
Could someone please have a look at the attached patch? Is it enough, or is
there someting I've missed?
Thanks
--
perl -E '$_=q;$/= @{[@_]};and s;\S+;<inidehG ordnasselA>;eg;say~~reverse'
Description: Fix buffer overflow in SMTP DIGEST-MD5 negotiation When negotiating SMTP DIGEST-MD5 authentication, the function smtp_state_authdigest_resp() uses the data provided from the server without doing the proper length checks and that data is then appended to a local fixed-size buffer on the stack. Origin: vendor, adapted from http://curl.haxx.se/curl-sasl.patch Bug: http://curl.haxx.se/docs/adv_20130206.html Bug-Debian: http://bugs.debian.org/700002 Forwarded: not-needed Author: Alessandro Ghedini <[email protected]> Last-Update: 2013-02-10 --- a/lib/smtp.c +++ b/lib/smtp.c @@ -879,7 +879,8 @@ char cnonce[] = "12345678"; /* will be changed */ char method[] = "AUTHENTICATE"; char qop[] = "auth"; - char uri[128] = "smtp/"; + char service[] = "smtp"; + char uri[128]; char response[512]; (void)instate; /* no use for this yet */ @@ -963,8 +964,8 @@ for(i = 0; i < MD5_DIGEST_LEN; i++) snprintf(&HA1_hex[2 * i], 3, "%02x", digest[i]); - /* Orepare URL string, append realm to the protocol */ - strcat(uri, realm); + /* Prepare the URL string */ + snprintf(uri, sizeof(uri), "%s/%s", service, realm); /* Calculate H(A2) */ ctxt = Curl_MD5_init(Curl_DIGEST_MD5); @@ -1008,20 +1009,11 @@ for(i = 0; i < MD5_DIGEST_LEN; i++) snprintf(&resp_hash_hex[2 * i], 3, "%02x", digest[i]); - strcpy(response, "username=\""); - strcat(response, conn->user); - strcat(response, "\",realm=\""); - strcat(response, realm); - strcat(response, "\",nonce=\""); - strcat(response, nonce); - strcat(response, "\",cnonce=\""); - strcat(response, cnonce); - strcat(response, "\",nc="); - strcat(response, nonceCount); - strcat(response, ",digest-uri=\""); - strcat(response, uri); - strcat(response, "\",response="); - strcat(response, resp_hash_hex); + snprintf(response, sizeof(response), + "username=\"%s\",realm=\"%s\",nonce=\"%s\"," + "cnonce=\"%s\",nc=\"%s\",digest-uri=\"%s\",response=%s", + conn->user, realm, nonce, + cnonce, nonceCount, uri, resp_hash_hex); /* Encode it to base64 and send it */ result = Curl_base64_encode(data, response, 0, &rplyb64, &len);
signature.asc
Description: Digital signature
------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
