i need a NMU (was Re: Bug#74569: [SECURITY] buffer overflow in error handling)

To: debian-devel@lists.debian.org
Subject: i need a NMU (was Re: Bug#74569: [SECURITY] buffer overflow in error handling)
From: Domenico Andreoli <cavok@filibusta.crema.unimi.it>
Date: Fri, 13 Oct 2000 11:05:00 +0200
Message-id: <20001013110500.A17425@filibusta.crema.unimi.it>
In-reply-to: <13jUjn-3eB-00@lxdoom.linuxgames.com>; from cphipps@doomworld.com on Wed, Oct 11, 2000 at 11:52:38PM +0100
References: <13jUjn-3eB-00@lxdoom.linuxgames.com>

i need some help.

i have not debian boxes at this moment. i just changed city and university
and here i still have to infect the environment with debian.

if anybody could do a nmu for me in order to solve this stupid bug, i would
apreciate a lot. please mail me privately for any help request.

thanks a lot


On Wed, Oct 11, 2000 at 11:52:38PM +0100, Colin Phipps wrote:
> Package: curl-ssl
> Version: 6.0-1.1
> Severity: grave
> 
> There's a buffer overflow in curl's error handling, which can be triggered 
> by badly formed responses from the remote server.
> 
> cph@micro:~/security% cat crash-curl 
> 220 Hi
> 230 Ok
> 227 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> 
> (I've split that onto multiple lines for this email, but in reality the 
> A's are all on one line)
> 
> cph@micro:~/security% cat crash-curl | nc -l -p 1234 
> 
> then, in another terminal...
> 
> cph@micro:~% curl ftp://localhost:1234/
> curl: Couldn't interpret this 227-reply: 227 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> zsh: segmentation fault  curl ftp://localhost:1234/
> 
> (again I split that into shorter lines)
> 
> It's a simple buffer overflow, which a malicious remote ftp server could 
> exploit. This fix causes the error message to be truncated to the buffer 
> size correctly, and I've verified that it fixes the crash.
> 
> --- sendf.c.orig	Wed Oct 11 23:12:18 2000
> +++ sendf.c	Wed Oct 11 23:13:09 2000
> @@ -77,7 +77,7 @@ void failf(struct UrlData *data, char *f
>    va_list ap;
>    va_start(ap, fmt);
>    if(data->errorbuffer)
> -    vsprintf(data->errorbuffer, fmt, ap);
> +    vsnprintf(data->errorbuffer, URLGET_ERROR_SIZE, fmt, ap);
>    else /* no errorbuffer receives this, write to stderr instead */
>      vfprintf(stderr, fmt, ap);
>    va_end(ap);
> 
> Colin
> 
> -- System Information
> Debian Release: 2.2
> Architecture: i386
> Kernel: Linux micro 2.4.0-test1-ac10 #10 Tue Oct 10 23:25:53 BST 2000 i686
> 
> Versions of packages curl-ssl depends on:
> ii  libc6                         2.1.3-13   GNU C Library: Shared libraries an
> ii  libssl09                      0.9.4-5    SSL shared libraries              
> 
> 
> 


-----[ Domenico Andreoli, aka cavok
 --[ curl -s http://www.freeweb.org/free/cavok/gpgkey.asc | gpg --import
  --[ 3A0F 2F80 F79C 678A 8936  4FEE 0677 9033 A20E BC50

Reply to:

Follow-Ups:
- Re: i need a NMU (was Re: Bug#74569: [SECURITY] buffer overflow in error handling)
  - From: Anand Kumria <wildfire@progsoc.uts.edu.au>
- Re: i need a NMU (was Re: Bug#74569: [SECURITY] buffer overflow in error handling)
  - From: Bas Zoetekouw <bas@A-Es2.uu.nl>

Prev by Date: Re: What is a Kernel?
Next by Date: Re: debian-keyring, what's happened?
Previous by thread: RE: Problems while packaging kdevelop
Next by thread: Re: i need a NMU (was Re: Bug#74569: [SECURITY] buffer overflow in error handling)
Index(es):
- Date
- Thread