Unfortunately, it's non-exploitable as far as I can see on
OpenBSD-m68k. ;-)

Just do:

curl http://some.server/`perl -e 'print "A" x 5000'`
and you get a SIGSEGV.

bash-2.03$ diff -u /root/src/curl/src/urlglob.c ./src/urlglob.c
--- /root/src/curl/src/urlglob.c Tue Feb 8 01:27:21 2000
+++ ./src/urlglob.c Tue May 9 12:51:02 2000
@@ -171,6 +171,11 @@
   char* buf = glob_buffer;
   int litindex;
 
+ if (strlen(pattern)>URL_MAX_LENGTH) {
+ printf("There be bugs!\n");
+ exit (URG_URL_MALFORMAT);
+ }
+
   while (*pattern != '\0' && *pattern != '{' && *pattern != '[') {
     if (*pattern == '}' || *pattern == ']') {
       printf("illegal character at position %d\n", pos);
bash-2.03$

Maybe the string url should be check at some earlier point,
in main.c or something, but at least this prevents the simplest
SEGV's.

And the "exit (URG_URL_MALFORMAT);" is something I saw in the
vicinity, it doesn't make any difference as far as I can see,
you only get "my" errormessage.

-- 
Allt är under kontroll, och Caps lock är bredvid.