Package: libcurl3 Version: 7.13.0-1 Severity: grave Tags: patch Justification: user security hole
iDefense discovered a buffer overflow in NTLM authentication that may lead to arbitrary code execution. This is CAN-2005-0490. Woody is not affected, as it doesn't contain the vulnerable NTLM code. (It's not listed on the Not-Vulnerable list yet, though) Upstream's patch to address this issue is attached, I didn't resync it against the Debian package, because all this internal to-7.11 patching seems, umm, scary. The advisory can be found at http://www.idefense.com/application/poi/display?id=202&type=vulnerabilities There's another buffer overflow in Kerberos handling, but I doesn't seems to be enabled in debian/rules, but please double check this. Cheers, Moritz -- System Information: Debian Release: 3.1 APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.10-1-686 Locale: LANG=C, [EMAIL PROTECTED] (charmap=ISO-8859-15) Versions of packages libcurl3 depends on: ii libc6 2.3.2.ds1-20 GNU C Library: Shared libraries an ii libidn11 0.5.2-3 GNU libidn library, implementation ii libssl0.9.7 0.9.7e-3 SSL shared libraries ii zlib1g 1:1.2.2-4 compression library - runtime -- no debconf information
=================================================================== RCS file: /cvsroot/curl/curl/lib/http_ntlm.c,v retrieving revision 1.36 retrieving revision 1.37 diff -u -r1.36 -r1.37 --- curl/lib/http_ntlm.c 2004/12/07 23:09:41 1.36 +++ curl-7.9.5/lib/http_ntlm.c 2005/02/22 07:44:14 1.37 @@ -103,7 +103,6 @@ header++; if(checkprefix("NTLM", header)) { - unsigned char buffer[256]; header += strlen("NTLM"); while(*header && isspace((int)*header)) @@ -123,8 +122,12 @@ (40) Target Information (optional) security buffer(*) 32 (48) start of data block */ + size_t size; + unsigned char *buffer = (unsigned char *)malloc(strlen(header)); + if (buffer == NULL) + return CURLNTLM_BAD; - size_t size = Curl_base64_decode(header, (char *)buffer); + size = Curl_base64_decode(header, (char *)buffer); ntlm->state = NTLMSTATE_TYPE2; /* we got a type-2 */ @@ -134,6 +137,7 @@ /* at index decimal 20, there's a 32bit NTLM flag field */ + free(buffer); } else { if(ntlm->state >= NTLMSTATE_TYPE1)