curl 7.13.2-2sarge4 fixes #342339 for sarge and CVE-2005-4077

[Domenico Andreoli]

hi,

  i prepared curl 7.13.2-2sarge4 which fixes a buffer overflow in URL
parser function (#342339, CVE-2005-4077).

complete description of the breach is available at
http://curl.haxx.se/docs/adv_20051207.html,
http://www.hardened-php.net/advisory_242005.109.html,
http://www.securityfocus.com/archive/1/archive/1/418849/100/0/threaded.

i uploaded it to http://people.debian.org/~cavok/curl/ for your revision.

$ debdiff curl_7.13.2-2sarge3.dsc curl_7.13.2-2sarge4.dsc
diff -u curl-7.13.2/debian/changelog curl-7.13.2/debian/changelog
--- curl-7.13.2/debian/changelog
+++ curl-7.13.2/debian/changelog
@@ -1,3 +1,10 @@
+curl (7.13.2-2sarge4) stable-security; urgency=high
+
+  * Fixed buffer overflow in URL parser function (closes: #342339).
+CVE-2005-4077
+
+ -- Domenico Andreoli [EMAIL PROTECTED]  Wed,  7 Dec 2005 13:21:53 +0100
+
 curl (7.13.2-2sarge3) stable-security; urgency=high
 
   * Fixed user+domain name buffer overflow in the NTLM code
only in patch2:
unchanged:
--- curl-7.13.2.orig/lib/url.c
+++ curl-7.13.2/lib/url.c
@@ -2318,12 +2318,18 @@
   if(urllen  LEAST_PATH_ALLOC)
 urllen=LEAST_PATH_ALLOC;
 
-  conn-pathbuffer=(char *)malloc(urllen);
+  /*
+   * We malloc() the buffers below urllen+2 to make room for to possibilities:
+   * 1 - an extra terminating zero
+   * 2 - an extra slash (in case a syntax like www.host.com?moo is used)
+   */
+
+  conn-pathbuffer=(char *)malloc(urllen+2);
   if(NULL == conn-pathbuffer)
 return CURLE_OUT_OF_MEMORY; /* really bad error */
   conn-path = conn-pathbuffer;
 
-  conn-host.rawalloc=(char *)malloc(urllen);
+  conn-host.rawalloc=(char *)malloc(urllen+2);
   if(NULL == conn-host.rawalloc)
 return CURLE_OUT_OF_MEMORY;
   conn-host.name = conn-host.rawalloc;
$

regards
domenico

-[ Domenico Andreoli, aka cavok
 --[ http://people.debian.org/~cavok/gpgkey.asc
   ---[ 3A0F 2F80 F79C 678A 8936  4FEE 0677 9033 A20E BC50


signature.asc
Description: Digital signature

manual build on alpha (was Bug#264539: libapache-mod-ssl: DSA-532-1 still not available on alpha)

[Domenico Andreoli]

hi,

i need the following packages to be installed on escher's woody chroot in
order to build the missing binary package of libapache-mod-ssl for alpha.

required packages: openssl, libdb2-dev, apache, apache-dev (= 1.3.23).

the fixed upload of 2.8.9-2.4 by the security team misses the alpha
binary and i don't think it's a good idea to wait for the alpha
autobuilder to make it the next Christmas.

thanks
domenico

- Forwarded message from Helge Kreutzmann [EMAIL PROTECTED] -

Date: Mon, 9 Aug 2004 11:48:07 +0200
From: Helge Kreutzmann [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Bug#264539: libapache-mod-ssl: DSA-532-1 still not available on alpha

Package: libapache-mod-ssl
Version: 2.8.9-2.3
Severity: grave
Justification: user security hole
Tags: security

DSA-532-1 was issued on July 22nd, which is more than 2 weeks ago, without
updated packages for alpha. They are still not available. Please build them
ASAP to close this bugs on alpha as well.

Thanks.

- End forwarded message -


-[ Domenico Andreoli, aka cavok
 --[ http://people.debian.org/~cavok/gpgkey.asc
   ---[ 3A0F 2F80 F79C 678A 8936  4FEE 0677 9033 A20E BC50


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

unsubscribe

[Domenico Famularo]

--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

unsubscribe

[Domenico Famularo]

unsubscribe

[DomenICO]

-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

unsubscribe

[DomenICO]

-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

unsubscribe

[DomenICO]

unsubscribe