hi,
i prepared curl 7.13.2-2sarge4 which fixes a buffer overflow in URL
parser function (#342339, CVE-2005-4077).
complete description of the breach is available at
http://curl.haxx.se/docs/adv_20051207.html,
http://www.hardened-php.net/advisory_242005.109.html,
http://www.securityfocus.com/archive/1/archive/1/418849/100/0/threaded.
i uploaded it to http://people.debian.org/~cavok/curl/ for your revision.
$ debdiff curl_7.13.2-2sarge3.dsc curl_7.13.2-2sarge4.dsc
diff -u curl-7.13.2/debian/changelog curl-7.13.2/debian/changelog
--- curl-7.13.2/debian/changelog
+++ curl-7.13.2/debian/changelog
@@ -1,3 +1,10 @@
+curl (7.13.2-2sarge4) stable-security; urgency=high
+
+ * Fixed buffer overflow in URL parser function (closes: #342339).
+CVE-2005-4077
+
+ -- Domenico Andreoli <[EMAIL PROTECTED]> Wed, 7 Dec 2005 13:21:53 +0100
+
curl (7.13.2-2sarge3) stable-security; urgency=high
* Fixed user+domain name buffer overflow in the NTLM code
only in patch2:
unchanged:
--- curl-7.13.2.orig/lib/url.c
+++ curl-7.13.2/lib/url.c
@@ -2318,12 +2318,18 @@
if(urllen < LEAST_PATH_ALLOC)
urllen=LEAST_PATH_ALLOC;
- conn->pathbuffer=(char *)malloc(urllen);
+ /*
+ * We malloc() the buffers below urllen+2 to make room for to possibilities:
+ * 1 - an extra terminating zero
+ * 2 - an extra slash (in case a syntax like "www.host.com?moo" is used)
+ */
+
+ conn->pathbuffer=(char *)malloc(urllen+2);
if(NULL == conn->pathbuffer)
return CURLE_OUT_OF_MEMORY; /* really bad error */
conn->path = conn->pathbuffer;
- conn->host.rawalloc=(char *)malloc(urllen);
+ conn->host.rawalloc=(char *)malloc(urllen+2);
if(NULL == conn->host.rawalloc)
return CURLE_OUT_OF_MEMORY;
conn->host.name = conn->host.rawalloc;
$
regards
domenico
-[ Domenico Andreoli, aka cavok
--[ http://people.debian.org/~cavok/gpgkey.asc
---[ 3A0F 2F80 F79C 678A 8936 4FEE 0677 9033 A20E BC50
signature.asc
Description: Digital signature