cURL / Mailing Lists / curl-library / Single Mail


Re: [SECURITY ADVISORY] libcurl SASL buffer overflow

From: Daniel Stenberg <>
Date: Sun, 10 Feb 2013 18:03:40 +0100 (CET)

On Sun, 10 Feb 2013, Alessandro Ghedini wrote:

> I'm working on adapting the above patch for curl 7.26.0 which is the version
> currently in Debian Wheezy (being it in freeze, it's not possible to update
> to 7.29.0).
> Could someone please have a look at the attached patch? Is it enough, or is
> there someting I've missed?

Looks perfectly reasonable to me. I didn't look at the 7.26.0 code right now,
but the idea is simply to replace the strcat()s with the proper snprintf()s.

If I would make the patch, I would not introduce a new local array named
'service'. I would just have that first snprintf() use "smtp" instead of the
first %s. But that's just a matter of style and taste, not a technical issue.

List admin:
Received on 2013-02-10