SECURITY:

Fix NT LAN Manager (NTLM) authentication handling. By sending a specially crafted long NTLM reply packet, a remote attacker could overflow the reply buffer. This could lead to execution of arbitrary attacker specified code with the privileges of the application using the cURL library. CAN-2005-0490. From Ubuntu. ok brad@, pval@
avsm · Mar 14, 2005 · b293af1 · b293af1
1 parent bd0558d
commit b293af1
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 1 deletion.
diff --git a/net/curl/Makefile b/net/curl/Makefile
@@ -1,8 +1,9 @@
-# $OpenBSD: Makefile,v 1.45 2004/12/16 00:31:21 alek Exp $
+# $OpenBSD: Makefile,v 1.46 2005/03/14 22:52:20 naddy Exp $
 
 COMMENT=	"get files from FTP, Gopher, HTTP or HTTPS servers"
 
 DISTNAME=	curl-7.11.2
+PKGNAME=	${DISTNAME}p0
 CATEGORIES=	net
 MASTER_SITES=	http://curl.haxx.se/download/ \
 		ftp://ftp.sunet.se/pub/www/utilities/curl/ \

diff --git a/net/curl/patches/patch-lib_http_ntlm_c b/net/curl/patches/patch-lib_http_ntlm_c
@@ -0,0 +1,25 @@
+$OpenBSD: patch-lib_http_ntlm_c,v 1.1 2005/03/14 22:52:20 naddy Exp $
+--- lib/http_ntlm.c.orig	Mon Mar 14 21:15:15 2005
++++ lib/http_ntlm.c	Mon Mar 14 21:16:43 2005
+@@ -105,7 +105,6 @@ CURLntlm Curl_input_ntlm(struct connectd
+     header++;
+
+   if(checkprefix("NTLM", header)) {
+-    unsigned char buffer[256];
+     header += strlen("NTLM");
+
+     while(*header && isspace((int)*header))
+@@ -126,7 +125,12 @@ CURLntlm Curl_input_ntlm(struct connectd
+          32 (48) start of data block
+       */
+
+-      size_t size = Curl_base64_decode(header, (char *)buffer);
++      size_t size;
++      unsigned char *buffer = (unsigned char *)malloc(strlen(header));
++      if (buffer == NULL)
++        return CURLNTLM_BAD;
++
++      size = Curl_base64_decode(header, (char *)buffer);
+
+       ntlm->state = NTLMSTATE_TYPE2; /* we got a type-2 */
+