hi, i prepared curl 7.13.2-2sarge4 which fixes a buffer overflow in URL parser function (#342339, CVE-2005-4077).
complete description of the breach is available at http://curl.haxx.se/docs/adv_20051207.html, http://www.hardened-php.net/advisory_242005.109.html, http://www.securityfocus.com/archive/1/archive/1/418849/100/0/threaded. i uploaded it to http://people.debian.org/~cavok/curl/ for your revision. $ debdiff curl_7.13.2-2sarge3.dsc curl_7.13.2-2sarge4.dsc diff -u curl-7.13.2/debian/changelog curl-7.13.2/debian/changelog --- curl-7.13.2/debian/changelog +++ curl-7.13.2/debian/changelog @@ -1,3 +1,10 @@ +curl (7.13.2-2sarge4) stable-security; urgency=high + + * Fixed buffer overflow in URL parser function (closes: #342339). + CVE-2005-4077 + + -- Domenico Andreoli <[EMAIL PROTECTED]> Wed, 7 Dec 2005 13:21:53 +0100 + curl (7.13.2-2sarge3) stable-security; urgency=high * Fixed user+domain name buffer overflow in the NTLM code only in patch2: unchanged: --- curl-7.13.2.orig/lib/url.c +++ curl-7.13.2/lib/url.c @@ -2318,12 +2318,18 @@ if(urllen < LEAST_PATH_ALLOC) urllen=LEAST_PATH_ALLOC; - conn->pathbuffer=(char *)malloc(urllen); + /* + * We malloc() the buffers below urllen+2 to make room for to possibilities: + * 1 - an extra terminating zero + * 2 - an extra slash (in case a syntax like "www.host.com?moo" is used) + */ + + conn->pathbuffer=(char *)malloc(urllen+2); if(NULL == conn->pathbuffer) return CURLE_OUT_OF_MEMORY; /* really bad error */ conn->path = conn->pathbuffer; - conn->host.rawalloc=(char *)malloc(urllen); + conn->host.rawalloc=(char *)malloc(urllen+2); if(NULL == conn->host.rawalloc) return CURLE_OUT_OF_MEMORY; conn->host.name = conn->host.rawalloc; $ regards domenico -----[ Domenico Andreoli, aka cavok --[ http://people.debian.org/~cavok/gpgkey.asc ---[ 3A0F 2F80 F79C 678A 8936 4FEE 0677 9033 A20E BC50
signature.asc
Description: Digital signature
