Authentication Buffer Overflows
Project curl Security Advisory, February 21st 2005 - Permalink
Due to bad usage of the base64 decode function to a stack-based buffer without checking the data length, it was possible for a malicious HTTP server to overflow the client during NTLM negotiation and for an FTP server to overflow the client during krb4 negotiation. The announcement of this flaw was done without contacting us.
The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2005-0490 to this issue.
CWE-121: Stack-based Buffer Overflow
(This flaw was originally treated as two separate ones by the curl project, but due to it using a single CVE number we've reconsidered.)
- Affected versions: curl 7.3 to and including curl 7.13.0
- Not affected versions: curl < 7.3 and curl >= 7.13.1
This was not reported using the regular means so we did not make a standard time line for this issue.
We have no recording of who reported this.
- Reported-by: unknown