Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Hi, I have prepared a tpu upload for curl to fix #700002 (aka CVE-2013-0249) which is already fixed in sid by curl/7.29.0-1. See attached debdiff. Cheers -- System Information: Debian Release: 7.0 APT prefers unstable APT policy: (990, 'unstable'), (600, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.7-trunk-amd64 (SMP w/4 CPU cores) Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash
diff -Nru curl-7.26.0/debian/changelog curl-7.26.0/debian/changelog --- curl-7.26.0/debian/changelog 2012-05-25 15:20:44.000000000 +0200 +++ curl-7.26.0/debian/changelog 2013-02-10 19:15:35.000000000 +0100 @@ -1,3 +1,12 @@ +curl (7.26.0-1+wheezy1) testing-proposed-updates; urgency=high + + * Fix buffer overflow when negotiating SMTP DIGEST-MD5 authentication + as per CVE-2013-0249 (Closes: #700002) + http://curl.haxx.se/docs/adv_20130206.html + * Set urgency=high accordingly + + -- Alessandro Ghedini <gh...@debian.org> Sun, 10 Feb 2013 19:14:47 +0100 + curl (7.26.0-1) unstable; urgency=low * New upstream release diff -Nru curl-7.26.0/debian/patches/05_curl-sasl-CVE-2013-0249.patch curl-7.26.0/debian/patches/05_curl-sasl-CVE-2013-0249.patch --- curl-7.26.0/debian/patches/05_curl-sasl-CVE-2013-0249.patch 1970-01-01 01:00:00.000000000 +0100 +++ curl-7.26.0/debian/patches/05_curl-sasl-CVE-2013-0249.patch 2013-02-10 19:17:22.000000000 +0100 @@ -0,0 +1,60 @@ +Description: Fix buffer overflow in SMTP DIGEST-MD5 negotiation + When negotiating SMTP DIGEST-MD5 authentication, the function + smtp_state_authdigest_resp() uses the data provided from the + server without doing the proper length checks and that data is then + appended to a local fixed-size buffer on the stack. +Origin: vendor, adapted from http://curl.haxx.se/curl-sasl.patch +Bug: http://curl.haxx.se/docs/adv_20130206.html +Bug-Debian: http://bugs.debian.org/700002 +Forwarded: not-needed +Author: Alessandro Ghedini <gh...@debian.org> +Last-Update: 2013-02-10 + +--- a/lib/smtp.c ++++ b/lib/smtp.c +@@ -879,7 +879,7 @@ + char cnonce[] = "12345678"; /* will be changed */ + char method[] = "AUTHENTICATE"; + char qop[] = "auth"; +- char uri[128] = "smtp/"; ++ char uri[128]; + char response[512]; + + (void)instate; /* no use for this yet */ +@@ -963,8 +963,8 @@ + for(i = 0; i < MD5_DIGEST_LEN; i++) + snprintf(&HA1_hex[2 * i], 3, "%02x", digest[i]); + +- /* Orepare URL string, append realm to the protocol */ +- strcat(uri, realm); ++ /* Prepare the URL string */ ++ snprintf(uri, sizeof(uri), "smtp/%s", realm); + + /* Calculate H(A2) */ + ctxt = Curl_MD5_init(Curl_DIGEST_MD5); +@@ -1008,20 +1008,11 @@ + for(i = 0; i < MD5_DIGEST_LEN; i++) + snprintf(&resp_hash_hex[2 * i], 3, "%02x", digest[i]); + +- strcpy(response, "username=\""); +- strcat(response, conn->user); +- strcat(response, "\",realm=\""); +- strcat(response, realm); +- strcat(response, "\",nonce=\""); +- strcat(response, nonce); +- strcat(response, "\",cnonce=\""); +- strcat(response, cnonce); +- strcat(response, "\",nc="); +- strcat(response, nonceCount); +- strcat(response, ",digest-uri=\""); +- strcat(response, uri); +- strcat(response, "\",response="); +- strcat(response, resp_hash_hex); ++ snprintf(response, sizeof(response), ++ "username=\"%s\",realm=\"%s\",nonce=\"%s\"," ++ "cnonce=\"%s\",nc=\"%s\",digest-uri=\"%s\",response=%s", ++ conn->user, realm, nonce, ++ cnonce, nonceCount, uri, resp_hash_hex); + + /* Encode it to base64 and send it */ + result = Curl_base64_encode(data, response, 0, &rplyb64, &len); diff -Nru curl-7.26.0/debian/patches/series curl-7.26.0/debian/patches/series --- curl-7.26.0/debian/patches/series 2012-05-25 15:20:44.000000000 +0200 +++ curl-7.26.0/debian/patches/series 2013-02-10 19:14:42.000000000 +0100 @@ -2,6 +2,7 @@ 02_art_http_scripting.patch 03_keep_symbols_compat.patch 04_workaround_as_needed_bug.patch +05_curl-sasl-CVE-2013-0249.patch 90_gnutls.patch 99_nss.patch
signature.asc
Description: Digital signature
