curl-users
two buffer overflows
Date: Tue, 22 Feb 2005 12:47:15 +0100 (CET)
Hi
Just wanted to let you know about these two buffer overflows that were
announced publicly today. (We were not notified in advance.)
One of them concerns NTLM and the other krb4 ftp. Both can do bad stuff if
talking to a malicious server.
http://www.idefense.com/application/poi/display?id=202
http://www.idefense.com/application/poi/display?id=203
The issue has been posted to bugtraq and numerous security-related lists and
forums, so I expect a working "exploit" or "proof of concept" might show up.
There's a CAN number assigned to this (CAN-2005-0490 bundles both problems
with one number) and the NTLM problem is already fixed in CVS:
http://cool.haxx.se/cvs.cgi/curl/lib/http_ntlm.c.diff?r1=1.36&r2=1.37 This
patch should be possible to apply to many different curl versions.
I'm going away on vacation for a week now, but I'll put together a new release
when I get back.
You should be able to download a daily snapshot (starting tomorrow) or build
from a fresh CVS in case applying the diff is not good enough.
-- Daniel Stenberg -- http://curl.haxx.se -- http://daniel.haxx.se Dedicated custom curl help for hire: http://haxx.se/curl.htmlReceived on 2005-02-22