Bug#296678: libcurl3: NTLM Authentication buffer overflow (CAN-2005-0490)

Wed, 23 Feb 2005 14:39:42 -0800 

Package: libcurl3
Version: 7.13.0-1
Severity: grave
Tags: patch
Justification: user security hole

iDefense discovered a buffer overflow in NTLM authentication that may lead
to arbitrary code execution. This is CAN-2005-0490. Woody is not affected,
as it doesn't contain the vulnerable NTLM code. (It's not listed on the
Not-Vulnerable list yet, though)

Upstream's patch to address this issue is attached, I didn't resync it
against the Debian package, because all this internal to-7.11 patching
seems, umm, scary.

The advisory can be found at
http://www.idefense.com/application/poi/display?id=202&type=vulnerabilities

There's another buffer overflow in Kerberos handling, but I doesn't seems
to be enabled in debian/rules, but please double check this.

Cheers,
        Moritz

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.10-1-686
Locale: LANG=C, [EMAIL PROTECTED] (charmap=ISO-8859-15)

Versions of packages libcurl3 depends on:
ii  libc6                       2.3.2.ds1-20 GNU C Library: Shared libraries an
ii  libidn11                    0.5.2-3      GNU libidn library, implementation
ii  libssl0.9.7                 0.9.7e-3     SSL shared libraries
ii  zlib1g                      1:1.2.2-4    compression library - runtime

-- no debconf information

===================================================================
RCS file: /cvsroot/curl/curl/lib/http_ntlm.c,v
retrieving revision 1.36
retrieving revision 1.37
diff -u -r1.36 -r1.37
--- curl/lib/http_ntlm.c	2004/12/07 23:09:41	1.36
+++ curl-7.9.5/lib/http_ntlm.c	2005/02/22 07:44:14	1.37
@@ -103,7 +103,6 @@
     header++;
 
   if(checkprefix("NTLM", header)) {
-    unsigned char buffer[256];
     header += strlen("NTLM");
 
     while(*header && isspace((int)*header))
@@ -123,8 +122,12 @@
          (40)    Target Information  (optional) security buffer(*)
          32 (48) start of data block
       */
+      size_t size;
+      unsigned char *buffer = (unsigned char *)malloc(strlen(header));
+      if (buffer == NULL)
+        return CURLNTLM_BAD;
 
-      size_t size = Curl_base64_decode(header, (char *)buffer);
+      size = Curl_base64_decode(header, (char *)buffer);
 
       ntlm->state = NTLMSTATE_TYPE2; /* we got a type-2 */
 
@@ -134,6 +137,7 @@
 
       /* at index decimal 20, there's a 32bit NTLM flag field */
 
+      free(buffer);
     }
     else {
       if(ntlm->state >= NTLMSTATE_TYPE1)

Reply via email to