Bug#296678: marked as done (libcurl3: NTLM Authentication buffer overflow (CAN-2005-0490))

[Debian Bug Tracking System]

Your message dated Thu, 24 Feb 2005 06:17:08 -0500
with message-id <[EMAIL PROTECTED]>
and subject line Bug#296678: fixed in curl 7.13.0-2
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 23 Feb 2005 22:22:18 +0000
>From [EMAIL PROTECTED] Wed Feb 23 14:22:18 2005
Return-path: <[EMAIL PROTECTED]>
Received: from inutil.org (vserver151.vserver151.serverflex.de) 
[193.22.164.111] 
        by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
        id 1D44te-0004Vk-00; Wed, 23 Feb 2005 14:22:18 -0800
Received: from pd9e183b8.dip.t-dialin.net ([217.225.131.184] 
helo=localhost.localdomain)
        by vserver151.vserver151.serverflex.de with asmtp 
(TLS-1.0:RSA_AES_128_CBC_SHA:16)
        (Exim 4.34)
        id 1D44tb-0003MK-ML
        for [EMAIL PROTECTED]; Wed, 23 Feb 2005 23:22:16 +0100
Received: from jmm by localhost.localdomain with local (Exim 4.44)
        id 1D44tX-0003sx-Ur
        for [EMAIL PROTECTED]; Wed, 23 Feb 2005 23:22:11 +0100
Content-Type: multipart/mixed; boundary="===============1253158897=="
MIME-Version: 1.0
From: Moritz Muehlenhoff <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: libcurl3: NTLM Authentication buffer overflow (CAN-2005-0490)
X-Mailer: reportbug 3.8
Date: Wed, 23 Feb 2005 23:22:11 +0100
X-Debbugs-Cc: [EMAIL PROTECTED]
Message-Id: <[EMAIL PROTECTED]>
X-SA-Exim-Connect-IP: 217.225.131.184
X-SA-Exim-Mail-From: [EMAIL PROTECTED]
X-SA-Exim-Scanned: No (on vserver151.vserver151.serverflex.de); SAEximRunCond 
expanded to false
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
        (1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-11.0 required=4.0 tests=BAYES_00,HAS_PACKAGE,
        X_DEBBUGS_CC autolearn=ham version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 

This is a multi-part MIME message sent by reportbug.

--===============1253158897==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Package: libcurl3
Version: 7.13.0-1
Severity: grave
Tags: patch
Justification: user security hole

iDefense discovered a buffer overflow in NTLM authentication that may lead
to arbitrary code execution. This is CAN-2005-0490. Woody is not affected,
as it doesn't contain the vulnerable NTLM code. (It's not listed on the
Not-Vulnerable list yet, though)

Upstream's patch to address this issue is attached, I didn't resync it
against the Debian package, because all this internal to-7.11 patching
seems, umm, scary.

The advisory can be found at
http://www.idefense.com/application/poi/display?id=202&type=vulnerabilities

There's another buffer overflow in Kerberos handling, but I doesn't seems
to be enabled in debian/rules, but please double check this.

Cheers,
        Moritz

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.10-1-686
Locale: LANG=C, [EMAIL PROTECTED] (charmap=ISO-8859-15)

Versions of packages libcurl3 depends on:
ii  libc6                       2.3.2.ds1-20 GNU C Library: Shared libraries an
ii  libidn11                    0.5.2-3      GNU libidn library, implementation
ii  libssl0.9.7                 0.9.7e-3     SSL shared libraries
ii  zlib1g                      1:1.2.2-4    compression library - runtime

-- no debconf information

--===============1253158897==
Content-Type: text/x-c; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="curl-can-2005-0490.patch"

===================================================================
RCS file: /cvsroot/curl/curl/lib/http_ntlm.c,v
retrieving revision 1.36
retrieving revision 1.37
diff -u -r1.36 -r1.37
--- curl/lib/http_ntlm.c        2004/12/07 23:09:41     1.36
+++ curl-7.9.5/lib/http_ntlm.c  2005/02/22 07:44:14     1.37
@@ -103,7 +103,6 @@
     header++;
 
   if(checkprefix("NTLM", header)) {
-    unsigned char buffer[256];
     header += strlen("NTLM");
 
     while(*header && isspace((int)*header))
@@ -123,8 +122,12 @@
          (40)    Target Information  (optional) security buffer(*)
          32 (48) start of data block
       */
+      size_t size;
+      unsigned char *buffer = (unsigned char *)malloc(strlen(header));
+      if (buffer == NULL)
+        return CURLNTLM_BAD;
 
-      size_t size = Curl_base64_decode(header, (char *)buffer);
+      size = Curl_base64_decode(header, (char *)buffer);
 
       ntlm->state = NTLMSTATE_TYPE2; /* we got a type-2 */
 
@@ -134,6 +137,7 @@
 
       /* at index decimal 20, there's a 32bit NTLM flag field */
 
+      free(buffer);
     }
     else {
       if(ntlm->state >= NTLMSTATE_TYPE1)

--===============1253158897==--

---------------------------------------
Received: (at 296678-close) by bugs.debian.org; 24 Feb 2005 11:23:02 +0000
>From [EMAIL PROTECTED] Thu Feb 24 03:23:02 2005
Return-path: <[EMAIL PROTECTED]>
Received: from newraff.debian.org [208.185.25.31] (mail)
        by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
        id 1D4H5B-00078a-00; Thu, 24 Feb 2005 03:23:01 -0800
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
        id 1D4GzU-0003tz-00; Thu, 24 Feb 2005 06:17:08 -0500
From: Domenico Andreoli <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.55 $
Subject: Bug#296678: fixed in curl 7.13.0-2
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Thu, 24 Feb 2005 06:17:08 -0500
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
        (1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
        autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 
X-CrossAssassin-Score: 2

Source: curl
Source-Version: 7.13.0-2

We believe that the bug you reported is fixed in the latest version of
curl, which is due to be installed in the Debian FTP archive:

curl_7.13.0-2.diff.gz
  to pool/main/c/curl/curl_7.13.0-2.diff.gz
curl_7.13.0-2.dsc
  to pool/main/c/curl/curl_7.13.0-2.dsc
curl_7.13.0-2_i386.deb
  to pool/main/c/curl/curl_7.13.0-2_i386.deb
libcurl3-dbg_7.13.0-2_i386.deb
  to pool/main/c/curl/libcurl3-dbg_7.13.0-2_i386.deb
libcurl3-dev_7.13.0-2_i386.deb
  to pool/main/c/curl/libcurl3-dev_7.13.0-2_i386.deb
libcurl3-gssapi_7.13.0-2_i386.deb
  to pool/main/c/curl/libcurl3-gssapi_7.13.0-2_i386.deb
libcurl3_7.13.0-2_i386.deb
  to pool/main/c/curl/libcurl3_7.13.0-2_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Domenico Andreoli <[EMAIL PROTECTED]> (supplier of updated curl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 24 Feb 2005 10:07:22 +0100
Source: curl
Binary: libcurl3-dbg libcurl3 libcurl3-dev libcurl3-gssapi curl
Architecture: source i386
Version: 7.13.0-2
Distribution: unstable
Urgency: high
Maintainer: Domenico Andreoli <[EMAIL PROTECTED]>
Changed-By: Domenico Andreoli <[EMAIL PROTECTED]>
Description: 
 curl       - Get a file from an HTTP, HTTPS, FTP or GOPHER server
 libcurl3   - Multi-protocol file transfer library, now with SSL support!
 libcurl3-dbg - libcurl compiled with debug symbols
 libcurl3-dev - Development files and documentation for libcurl
 libcurl3-gssapi - libcurl compiled with GSSAPI support
Closes: 274631 296678
Changes: 
 curl (7.13.0-2) unstable; urgency=high
 .
   * Fixed NTLM Authentication buffer overflow (closes: #296678).
     Patch courtesy of Daniel Stenberg. This handles CAN-2005-0490.
   * Removed libcurl2* packages and all the scary stuff used to build them
     (closes: #274631).
Files: 
 803dcd4eba32b48a12863578a3a8f9a9 798 web optional curl_7.13.0-2.dsc
 4e9a0c7fbe035c3a41aa39baf6eeece4 168192 web optional curl_7.13.0-2.diff.gz
 6b2da4fc0ab2fcba0eba3481ce0a2d72 173022 web optional curl_7.13.0-2_i386.deb
 440d0f4c7e80bc935072d87766d9beaf 261156 libs optional 
libcurl3_7.13.0-2_i386.deb
 e5302a9fb0c34985629b50a146bae5c5 141382 libs extra 
libcurl3-gssapi_7.13.0-2_i386.deb
 e4076bb4b9af76354ceb451cc7d953ec 1014248 libdevel extra 
libcurl3-dbg_7.13.0-2_i386.deb
 a58871b7cb7c397657dd447fe59ecb5e 1223838 libdevel optional 
libcurl3-dev_7.13.0-2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFCHbNPBneQM6IOvFARAs+cAKCNpPpVjDP3blNMeBQO6hP7I5Qi0wCePWiw
lsFZOMTREYR6jqJ23MvkAzU=
=av7K
-----END PGP SIGNATURE-----


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]