curl-users
[martin@godisch.de: Bug#178473: curl: local user information leak]
Date: Mon, 27 Jan 2003 18:02:19 +0100
hi again,
we have also this report... http://bugs.debian.org/178473
i never handled anything of this kind.
cheers
cavok
----- Forwarded message from Martin Godisch <martin_at_godisch.de> -----
Date: Sun, 26 Jan 2003 15:41:05 +0100
From: Martin Godisch <martin_at_godisch.de>
To: Debian Bug Tracking System <submit_at_bugs.debian.org>
Reply-To: Martin Godisch <martin_at_godisch.de>, 178473_at_bugs.debian.org
Subject: Bug#178473: curl: local user information leak
Package: curl
Version: 7.9.5-1
Severity: important
Tags: security
Passwords given to option -U are visible in the ps tree:
carlos:~/>curl -U user:pass some_url &; ps ax | grep curl | grep -v grep
[1] 26106
26106 pts/0 S 0:00 curl -U user:pass some_url
I suggest doing some kind of memset(optarg, '*', strlen(optarg)); when
curl parses its command line arguments.
Kind regards,
Martin
-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux carlos 2.4.21-pre3 #1 Fri Jan 10 11:09:00 CET 2003 i686
Locale: LANG=C, LC_CTYPE=de_DE
Versions of packages curl depends on:
ii libc6 2.2.5-11.2 GNU C Library: Shared libraries an
ii libcurl2 7.9.5-1 Multi-protocol file transfer libra
----- End forwarded message -----
-----[ Domenico Andreoli, aka cavok
--[ http://filibusta.crema.unimi.it/~cavok/gpgkey.asc
---[ 3A0F 2F80 F79C 678A 8936 4FEE 0677 9033 A20E BC50
-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
Received on 2003-01-27