Debian Bug report logs - #342696
CVE-2005-4077: off-by-one errors in libcurl

Package: curl; Maintainer for curl is Alessandro Ghedini <ghedo@debian.org>; Source for curl is src:curl.

Reported by: Martin Schulze <joey@infodrom.org>

Date: Fri, 9 Dec 2005 15:48:04 UTC

Severity: important

Tags: sarge, security

Done: Domenico Andreoli <cavok@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Domenico Andreoli <cavok@debian.org>:
Bug#342696; Package curl. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
New Bug report received and forwarded. Copy sent to Domenico Andreoli <cavok@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: submit@bugs.debian.org
Subject: CVE-2005-4077: off-by-one errors in libcurl
Date: Fri, 9 Dec 2005 16:07:02 +0100
Package: curl
Severity: important
Tags: security woody sarge etch sid
Found: 7.9.5-1
found: 7.13.2-2
found: 7.15.1-1

http://www.hardened-php.net/advisory_242005.109.html

Stefan Esser discovered several off-by-one errors in libcurl, a
multi-protocol file transfer library, that allows local users to
trigger a buffer overflow and cause a denial of service or bypass PHP
security restrictions via certain URLs.

Regards,

	Joey

-- 
Have you ever noticed that "General Public Licence" contains the word "Pub"?

Please always Cc to me when replying to me on the lists.



Information forwarded to debian-bugs-dist@lists.debian.org, Domenico Andreoli <cavok@debian.org>:
Bug#342696; Package curl. Full text and rfc822 format available.

Acknowledgement sent to Daniel Stenberg <daniel@haxx.se>:
Extra info received and forwarded to list. Copy sent to Domenico Andreoli <cavok@debian.org>. Full text and rfc822 format available.

Message #10 received at 342696@bugs.debian.org (full text, mbox):

From: Daniel Stenberg <daniel@haxx.se>
To: 342696@bugs.debian.org
Subject: no
Date: Fri, 9 Dec 2005 22:59:40 +0100 (CET)
Nope,

the mentioned flaw is not present in 7.15.1 nor in 7.9.5. As mentioned both in 
the referenced advisory and the one I issued before that.


-- 
         -=- Daniel Stenberg -=- http://daniel.haxx.se -=-




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#342696; Package curl. Full text and rfc822 format available.

Acknowledgement sent to Domenico Andreoli <cavok@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #15 received at 342696@bugs.debian.org (full text, mbox):

From: Domenico Andreoli <cavok@debian.org>
To: Martin Schulze <joey@infodrom.org>
Cc: 342696@bugs.debian.org, Daniel Stenberg <daniel@haxx.se>, control@bugs.debian.org
Subject: Re: Bug#342696: CVE-2005-4077: off-by-one errors in libcurl
Date: Sat, 10 Dec 2005 10:59:35 +0100
notfound 342696 7.9.5-1
notfound 342696 7.15.1-1
tags 342696 - woody sid
thanks

joey,

On Fri, Dec 09, 2005 at 04:07:02PM +0100, Martin Schulze wrote:
> 
> http://www.hardened-php.net/advisory_242005.109.html
> 
> Stefan Esser discovered several off-by-one errors in libcurl, a
> multi-protocol file transfer library, that allows local users to
> trigger a buffer overflow and cause a denial of service or bypass PHP
> security restrictions via certain URLs.

this is a duplicate of #342339.

current sid version, 7.15.1-1 is already fixed. current woody version,
7.9.5-1 is not affected either.

etch and sarge are left. for what regards sarge, i already prepared a
scurity fix and sent a mail to the security team, you can read it in
the log of #342339.

curl 7.13.2-2sarge4 is available at http://people.debian.org/~cavok/curl/,
please give it a glance.

regards
domenico

-----[ Domenico Andreoli, aka cavok
 --[ http://people.debian.org/~cavok/gpgkey.asc
   ---[ 3A0F 2F80 F79C 678A 8936  4FEE 0677 9033 A20E BC50



Bug marked as not found in version 7.9.5-1. Request was from Domenico Andreoli <cavok@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug marked as not found in version 7.15.1-1. Request was from Domenico Andreoli <cavok@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags removed: woody, sid Request was from Domenico Andreoli <cavok@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Domenico Andreoli <cavok@debian.org>:
Bug#342696; Package curl. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Domenico Andreoli <cavok@debian.org>. Full text and rfc822 format available.

Message #26 received at 342696@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: Domenico Andreoli <cavok@debian.org>
Cc: 342696@bugs.debian.org, Daniel Stenberg <daniel@haxx.se>, control@bugs.debian.org
Subject: Re: Bug#342696: CVE-2005-4077: off-by-one errors in libcurl
Date: Sat, 10 Dec 2005 12:14:08 +0100
Domenico Andreoli wrote:
> > http://www.hardened-php.net/advisory_242005.109.html
> > 
> > Stefan Esser discovered several off-by-one errors in libcurl, a
> > multi-protocol file transfer library, that allows local users to
> > trigger a buffer overflow and cause a denial of service or bypass PHP
> > security restrictions via certain URLs.
> 
> this is a duplicate of #342339.

Umh... I didn't see that bug.

> current sid version, 7.15.1-1 is already fixed. current woody version,
> 7.9.5-1 is not affected either.

Are you sure?  Even though the code is quite different, the buffer
extension part of the patch also applied to the woody package.

> etch and sarge are left. for what regards sarge, i already prepared a
> scurity fix and sent a mail to the security team, you can read it in
> the log of #342339.

Oh, haven't seen it.  Will check.

> curl 7.13.2-2sarge4 is available at http://people.debian.org/~cavok/curl/,
> please give it a glance.

Done.  Will prepare a new upload.

It seems we have never talked about CVE-2005-3185 before.  And even worse,
when I checked I didn't find the offending file in the archive.

Thanks,

	Joey

-- 
The only stupid question is the unasked one.

Please always Cc to me when replying to me on the lists.



Information forwarded to debian-bugs-dist@lists.debian.org, Domenico Andreoli <cavok@debian.org>:
Bug#342696; Package curl. Full text and rfc822 format available.

Acknowledgement sent to Daniel Stenberg <daniel@haxx.se>:
Extra info received and forwarded to list. Copy sent to Domenico Andreoli <cavok@debian.org>. Full text and rfc822 format available.

Message #31 received at 342696@bugs.debian.org (full text, mbox):

From: Daniel Stenberg <daniel@haxx.se>
To: Martin Schulze <joey@infodrom.org>
Cc: Domenico Andreoli <cavok@debian.org>, 342696@bugs.debian.org, control@bugs.debian.org
Subject: Re: Bug#342696: CVE-2005-4077: off-by-one errors in libcurl
Date: Sat, 10 Dec 2005 19:47:26 +0100 (CET)
On Sat, 10 Dec 2005, Martin Schulze wrote:

>> 7.9.5-1 is not affected either.
>
> Are you sure?  Even though the code is quite different, the buffer extension 
> part of the patch also applied to the woody package.

Since 7.9.5 is way older than the particular code that this problem concerns, 
it just _can't_ be vulnerable to this. It might be vulnerable to similar 
things, but not exactly this.

> It seems we have never talked about CVE-2005-3185 before.  And even worse, 
> when I checked I didn't find the offending file in the archive.

I'm not sure what that means, but Domenico got informed about CVE-2005-3185 
within hours after I did, and his curl 7.15.0-1 release mentions it and the 
closing of the corresponding debian bug report: #333734

-- 
         -=- Daniel Stenberg -=- http://daniel.haxx.se -=-
  ech`echo xiun|tr nu oc|sed 'sx\([sx]\)\([xoi]\)xo un\2\1 is xg'`ol



Information forwarded to debian-bugs-dist@lists.debian.org, Domenico Andreoli <cavok@debian.org>:
Bug#342696; Package curl. Full text and rfc822 format available.

Acknowledgement sent to Daniel Stenberg <daniel@haxx.se>:
Extra info received and forwarded to list. Copy sent to Domenico Andreoli <cavok@debian.org>. Full text and rfc822 format available.

Message #36 received at 342696@bugs.debian.org (full text, mbox):

From: Daniel Stenberg <daniel@haxx.se>
To: 342696@bugs.debian.org
Subject: not enough ?
Date: Tue, 13 Dec 2005 12:02:23 +0100 (CET)
Hi

The fix to 7.13.2 may not have been enough:

  http://curl.haxx.se/mail/lib-2005-12/0119.html

7.9.5 was not vulernable to CVE-2005-4077

-- 
 Commercial curl and libcurl Technical Support: http://haxx.se/curl.html



Tags removed: etch Request was from Domenico Andreoli <cavok@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#342696; Package curl. Full text and rfc822 format available.

Acknowledgement sent to Domenico Andreoli <cavok@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #43 received at 342696@bugs.debian.org (full text, mbox):

From: Domenico Andreoli <cavok@debian.org>
To: Debian Security Team <team@security.debian.org>
Cc: 342696@bugs.debian.org
Subject: curl's off-by-one error (#342696, CVE-2005-4077) update for sarge
Date: Wed, 1 Mar 2006 18:38:37 +0100
[Message part 1 (text/plain, inline)]
hi,

  long time ago the upstream developer informed me that the fix for
curl's CVE-2005-4077 now in sarge with 7.13.2-2sarge4 is not enough.

i finally came with a fixed curl 7.13.2-2sarge5 package. it is available
at http://people.debian.org/~cavok/curl/.

debdiff output:

diff -u curl-7.13.2/lib/url.c curl-7.13.2/lib/url.c
--- curl-7.13.2/lib/url.c
+++ curl-7.13.2/lib/url.c
@@ -2324,12 +2324,12 @@
    * 2 - an extra slash (in case a syntax like "www.host.com?moo" is used)
    */
 
-  conn->pathbuffer=(char *)malloc(urllen+2);
+  conn->pathbuffer=(char *)malloc(urllen+3);
   if(NULL == conn->pathbuffer)
     return CURLE_OUT_OF_MEMORY; /* really bad error */
   conn->path = conn->pathbuffer;
 
-  conn->host.rawalloc=(char *)malloc(urllen+2);
+  conn->host.rawalloc=(char *)malloc(urllen+3);
   if(NULL == conn->host.rawalloc)
     return CURLE_OUT_OF_MEMORY;
   conn->host.name = conn->host.rawalloc;
diff -u curl-7.13.2/debian/changelog curl-7.13.2/debian/changelog
--- curl-7.13.2/debian/changelog
+++ curl-7.13.2/debian/changelog
@@ -1,3 +1,10 @@
+curl (7.13.2-2sarge5) stable-security; urgency=high
+
+  * Fixed previously applied patch to fix off-by-one error [lib/url.c,
+    CVE-2005-4077]
+
+ -- Domenico Andreoli <cavok@debian.org>  Wed,  1 Mar 2006 17:15:51 +0100
+
 curl (7.13.2-2sarge4) stable-security; urgency=high
 
   * Non-maintainer upload by the Security Team


let me know if the upload is desired.

cheers
domenico

On Tue, Dec 13, 2005 at 12:02:23PM +0100, Daniel Stenberg wrote:
> Hi
> 
> The fix to 7.13.2 may not have been enough:
> 
>   http://curl.haxx.se/mail/lib-2005-12/0119.html
> 
> 7.9.5 was not vulernable to CVE-2005-4077


-----[ Domenico Andreoli, aka cavok
 --[ http://people.debian.org/~cavok/gpgkey.asc
   ---[ 3A0F 2F80 F79C 678A 8936  4FEE 0677 9033 A20E BC50
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Domenico Andreoli <cavok@debian.org>:
Bug#342696; Package curl. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Domenico Andreoli <cavok@debian.org>. Full text and rfc822 format available.

Message #48 received at 342696@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: Domenico Andreoli <cavok@debian.org>
Cc: Debian Security Team <team@security.debian.org>, 342696@bugs.debian.org
Subject: Re: curl's off-by-one error (#342696, CVE-2005-4077) update for sarge
Date: Wed, 1 Mar 2006 22:54:18 +0100
Domenico Andreoli wrote:
>   long time ago the upstream developer informed me that the fix for
> curl's CVE-2005-4077 now in sarge with 7.13.2-2sarge4 is not enough.

Ouch!

> i finally came with a fixed curl 7.13.2-2sarge5 package. it is available
> at http://people.debian.org/~cavok/curl/.

Thanks a lot.  Uploaded.

I've also added the first part of the patch to the woody update.

Could you tell us which version in sid corrects the correction?

Regards,

	Joey

-- 
Long noun chains don't automatically imply security.  -- Bruce Schneier

Please always Cc to me when replying to me on the lists.



Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#342696; Package curl. Full text and rfc822 format available.

Acknowledgement sent to Domenico Andreoli <cavok@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #53 received at 342696@bugs.debian.org (full text, mbox):

From: Domenico Andreoli <cavok@debian.org>
To: Martin Schulze <joey@infodrom.org>
Cc: Debian Security Team <team@security.debian.org>, 342696@bugs.debian.org, curl-library@cool.haxx.se
Subject: Re: Bug#342696: curl's off-by-one error (#342696, CVE-2005-4077) update for sarge
Date: Fri, 3 Mar 2006 17:22:24 +0100
[Message part 1 (text/plain, inline)]
On Wed, Mar 01, 2006 at 10:54:18PM +0100, Martin Schulze wrote:
> Domenico Andreoli wrote:
> >   long time ago the upstream developer informed me that the fix for
> > curl's CVE-2005-4077 now in sarge with 7.13.2-2sarge4 is not enough.
> 
> Ouch!
> 
> > i finally came with a fixed curl 7.13.2-2sarge5 package. it is available
> > at http://people.debian.org/~cavok/curl/.
> 
> Thanks a lot.  Uploaded.
> 
> I've also added the first part of the patch to the woody update.
> 
> Could you tell us which version in sid corrects the correction?

7.15.1-1 already fixed this. please read
http://curl.haxx.se/mail/lib-2005-12/0119.html.

this correction is required only for version between 7.11.2 (included)
and 7.14.0 (included). versions before 7.11.2 are not affected. after
7.14.0, the first patch (the one applied to get 7.13.2-2sarge3)
is enough.

cheers
domenico

-----[ Domenico Andreoli, aka cavok
 --[ http://people.debian.org/~cavok/gpgkey.asc
   ---[ 3A0F 2F80 F79C 678A 8936  4FEE 0677 9033 A20E BC50
[signature.asc (application/pgp-signature, inline)]

Reply sent to Domenico Andreoli <cavok@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Martin Schulze <joey@infodrom.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #58 received at 342696-done@bugs.debian.org (full text, mbox):

From: Domenico Andreoli <cavok@debian.org>
To: 342696-done@bugs.debian.org
Subject: closing #342696...
Date: Tue, 14 Mar 2006 18:04:58 +0100
hi,

this bug has been finally fixed also in stable with curl 7.13.2-2sarge5.
have a look at http://www.debian.org/security/2005/dsa-919 for more info.

cheers
domenico

-----[ Domenico Andreoli, aka cavok
 --[ http://people.debian.org/~cavok/gpgkey.asc
   ---[ 3A0F 2F80 F79C 678A 8936  4FEE 0677 9033 A20E BC50



Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 18 Jun 2007 22:24:53 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 01:25:41 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.