hi Daniel, hi all

Martin Godisch reported this issue for curl.

as always, full debian report is available at
  http://bugs.debian.org/178473

cheers
cavok

----- Forwarded message from Martin Godisch <martin_at_godisch.de> -----

Date: Sun, 26 Jan 2003 15:41:05 +0100
From: Martin Godisch <martin_at_godisch.de>
To: Debian Bug Tracking System <submit_at_bugs.debian.org>
Reply-To: Martin Godisch <martin_at_godisch.de>, 178473_at_bugs.debian.org
Subject: Bug#178473: curl: local user information leak

Package: curl
Version: 7.9.5-1
Severity: important
Tags: security

Passwords given to option -U are visible in the ps tree:

carlos:~/>curl -U user:pass some_url &; ps ax | grep curl | grep -v grep
[1] 26106
26106 pts/0 S 0:00 curl -U user:pass some_url

I suggest doing some kind of memset(optarg, '*', strlen(optarg)); when
curl parses its command line arguments.

Kind regards,

Martin

...

----- End forwarded message -----

-----[ Domenico Andreoli, aka cavok
 --[ http://filibusta.crema.unimi.it/~cavok/gpgkey.asc
   ---[ 3A0F 2F80 F79C 678A 8936 4FEE 0677 9033 A20E BC50

-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
Received on 2003-01-27