cURL / Mailing Lists / curl-library / Single Mail


Additional info to CVE-2005-4077

From: Daniel Stenberg <>
Date: Tue, 13 Dec 2005 00:21:35 +0100 (CET)


I just wanted to mention that if you patched an older libcurl version with the
patch I produced (and as far as I've seen most distributions and providers
did), you should know that the patch is not fully working for 7.14.0 and

Wilfried Weissmann filed a Redhat bug report (175358) where he correctly had
identified one particular version which made me do some further research.

For libcurl 7.14.0 and earlier (down to and including 7.11.2) you must modify
the patch to do +3 instead of only doing +2. The reason for that is that the
default string in those old versions was "/" and not just a singe zero byte.

The patch available at has been
adjusted and this new version is believed to work for all libcurl versions
from 7.11.2 to and including 7.15.0.

I've also updated both and to include this news.

Sorry for all the trouble.

  Commercial curl and libcurl Technical Support:
Received on 2005-12-13