Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Hi,
I have prepared a tpu upload for curl to fix #72 (aka CVE-2013-0249) which
is already fixed in sid by curl/7.29.0-1.
See attached debdiff.
Cheers
-- System Information:
Debian Release: 7.0
APT prefers unstable
APT policy: (990, 'unstable'), (600, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.7-trunk-amd64 (SMP w/4 CPU cores)
Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diff -Nru curl-7.26.0/debian/changelog curl-7.26.0/debian/changelog
--- curl-7.26.0/debian/changelog 2012-05-25 15:20:44.0 +0200
+++ curl-7.26.0/debian/changelog 2013-02-10 19:15:35.0 +0100
@@ -1,3 +1,12 @@
+curl (7.26.0-1+wheezy1) testing-proposed-updates; urgency=high
+
+ * Fix buffer overflow when negotiating SMTP DIGEST-MD5 authentication
+as per CVE-2013-0249 (Closes: #72)
+http://curl.haxx.se/docs/adv_20130206.html
+ * Set urgency=high accordingly
+
+ -- Alessandro Ghedini gh...@debian.org Sun, 10 Feb 2013 19:14:47 +0100
+
curl (7.26.0-1) unstable; urgency=low
* New upstream release
diff -Nru curl-7.26.0/debian/patches/05_curl-sasl-CVE-2013-0249.patch curl-7.26.0/debian/patches/05_curl-sasl-CVE-2013-0249.patch
--- curl-7.26.0/debian/patches/05_curl-sasl-CVE-2013-0249.patch 1970-01-01 01:00:00.0 +0100
+++ curl-7.26.0/debian/patches/05_curl-sasl-CVE-2013-0249.patch 2013-02-10 19:17:22.0 +0100
@@ -0,0 +1,60 @@
+Description: Fix buffer overflow in SMTP DIGEST-MD5 negotiation
+ When negotiating SMTP DIGEST-MD5 authentication, the function
+ smtp_state_authdigest_resp() uses the data provided from the
+ server without doing the proper length checks and that data is then
+ appended to a local fixed-size buffer on the stack.
+Origin: vendor, adapted from http://curl.haxx.se/curl-sasl.patch
+Bug: http://curl.haxx.se/docs/adv_20130206.html
+Bug-Debian: http://bugs.debian.org/72
+Forwarded: not-needed
+Author: Alessandro Ghedini gh...@debian.org
+Last-Update: 2013-02-10
+
+--- a/lib/smtp.c
b/lib/smtp.c
+@@ -879,7 +879,7 @@
+ char cnonce[] = 12345678; /* will be changed */
+ char method[] = AUTHENTICATE;
+ char qop[]= auth;
+- char uri[128] = smtp/;
++ char uri[128];
+ char response[512];
+
+ (void)instate; /* no use for this yet */
+@@ -963,8 +963,8 @@
+ for(i = 0; i MD5_DIGEST_LEN; i++)
+ snprintf(HA1_hex[2 * i], 3, %02x, digest[i]);
+
+- /* Orepare URL string, append realm to the protocol */
+- strcat(uri, realm);
++ /* Prepare the URL string */
++ snprintf(uri, sizeof(uri), smtp/%s, realm);
+
+ /* Calculate H(A2) */
+ ctxt = Curl_MD5_init(Curl_DIGEST_MD5);
+@@ -1008,20 +1008,11 @@
+ for(i = 0; i MD5_DIGEST_LEN; i++)
+ snprintf(resp_hash_hex[2 * i], 3, %02x, digest[i]);
+
+- strcpy(response, username=\);
+- strcat(response, conn-user);
+- strcat(response, \,realm=\);
+- strcat(response, realm);
+- strcat(response, \,nonce=\);
+- strcat(response, nonce);
+- strcat(response, \,cnonce=\);
+- strcat(response, cnonce);
+- strcat(response, \,nc=);
+- strcat(response, nonceCount);
+- strcat(response, ,digest-uri=\);
+- strcat(response, uri);
+- strcat(response, \,response=);
+- strcat(response, resp_hash_hex);
++ snprintf(response, sizeof(response),
++ username=\%s\,realm=\%s\,nonce=\%s\,
++ cnonce=\%s\,nc=\%s\,digest-uri=\%s\,response=%s,
++ conn-user, realm, nonce,
++ cnonce, nonceCount, uri, resp_hash_hex);
+
+ /* Encode it to base64 and send it */
+ result = Curl_base64_encode(data, response, 0, rplyb64, len);
diff -Nru curl-7.26.0/debian/patches/series curl-7.26.0/debian/patches/series
--- curl-7.26.0/debian/patches/series 2012-05-25 15:20:44.0 +0200
+++ curl-7.26.0/debian/patches/series 2013-02-10 19:14:42.0 +0100
@@ -2,6 +2,7 @@
02_art_http_scripting.patch
03_keep_symbols_compat.patch
04_workaround_as_needed_bug.patch
+05_curl-sasl-CVE-2013-0249.patch
90_gnutls.patch
99_nss.patch
signature.asc
Description: Digital signature