Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 456074 (CVE-2013-0249) - <net-misc/curl-7.29.0-r1: "Curl_sasl_create_digest_md5_message()" Buffer Overflow Vulnerability (CVE-2013-0249)
Summary: <net-misc/curl-7.29.0-r1: "Curl_sasl_create_digest_md5_message()" Buffer Over...
Status: RESOLVED FIXED
Alias: CVE-2013-0249
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/52103/
Whiteboard: A2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-02-07 19:12 UTC by Agostino Sarubbo
Modified: 2014-01-20 14:11 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-02-07 19:12:38 UTC
From $URL :

Description
Volema has reported a vulnerability in cURL / libcURL, which can be exploited by malicious people 
to compromise a user's system.

The vulnerability is caused due to a boundary error within the 
"Curl_sasl_create_digest_md5_message()" function (lib/curl_sasl.c) when negotiating SASL DIGEST-MD5 
authentication and can be exploited to cause a stack-based buffer overflow.

Successful exploitation may allow execution of arbitrary code but requires tricking a user into 
connecting to a malicious server.

The vulnerability is reported in versions 7.26.0 through 7.28.1.


Solution
Update to version 7.29.0.

Provided and/or discovered by
Volema

Original Advisory
cURL:
http://curl.haxx.se/docs/adv_20130206.html

Volema
http://blog.volema.com/curl-rce.html
Comment 1 Anthony Basile gentoo-dev 2013-02-07 19:15:32 UTC
I just added 7.29.0 to the tree.
Comment 2 Sean Amoss (RETIRED) gentoo-dev Security 2013-03-03 23:11:20 UTC
(In reply to comment #1)
> I just added 7.29.0 to the tree.

Thanks, Anthony. May we proceed to stabilize =net-misc/curl-7.29.0-r1 ?
Comment 3 Anthony Basile gentoo-dev 2013-03-04 10:58:01 UTC
(In reply to comment #2)
> (In reply to comment #1)
> > I just added 7.29.0 to the tree.
> 
> Thanks, Anthony. May we proceed to stabilize =net-misc/curl-7.29.0-r1 ?

Yes. KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Comment 4 Brent Baude (RETIRED) gentoo-dev 2013-03-04 18:30:42 UTC
ppc done
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2013-03-05 18:29:28 UTC
Stable for HPPA.
Comment 6 Agostino Sarubbo gentoo-dev 2013-03-06 12:23:17 UTC
amd64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2013-03-08 17:57:17 UTC
arm stable
Comment 8 Agostino Sarubbo gentoo-dev 2013-03-09 11:10:05 UTC
ppc64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2013-03-09 13:31:46 UTC
alpha stable
Comment 10 Agostino Sarubbo gentoo-dev 2013-03-09 14:28:04 UTC
ia64 stable
Comment 11 Agostino Sarubbo gentoo-dev 2013-03-09 18:08:44 UTC
x86 stable
Comment 12 Agostino Sarubbo gentoo-dev 2013-03-09 19:36:35 UTC
sparc stable
Comment 13 Agostino Sarubbo gentoo-dev 2013-03-10 16:20:00 UTC
s390 stable
Comment 14 Agostino Sarubbo gentoo-dev 2013-03-15 13:30:21 UTC
sh stable
Comment 15 Sean Amoss (RETIRED) gentoo-dev Security 2013-03-17 19:48:06 UTC
New GLSA draft filed.
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2013-03-21 18:40:51 UTC
CVE-2013-0249 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0249):
  Stack-based buffer overflow in the Curl_sasl_create_digest_md5_message
  function in lib/curl_sasl.c in curl and libcurl 7.26.0 through 7.28.1, when
  negotiating SASL DIGEST-MD5 authentication, allows remote attackers to cause
  a denial of service (crash) and possibly execute arbitrary code via a long
  string in the realm parameter in a (1) POP3, (2) SMTP or (3) IMAP message.
Comment 17 Anthony Basile gentoo-dev 2013-12-18 15:46:31 UTC
Why is this bug still open? <net-misc/curl-7.29.0-r1 is off the tree and glsa is filed.
Comment 18 Yury German Gentoo Infrastructure gentoo-dev 2013-12-18 16:28:26 UTC
(In reply to Anthony Basile from comment #17)
> Why is this bug still open? <net-misc/curl-7.29.0-r1 is off the tree and
> glsa is filed.

Anthony until GLSA is published, the bug needs to stay in GLSA status:

https://wiki.gentoo.org/wiki/Project:Security/GLSA_Coordinator_Guide#Bugs_in_.5Bglsa.5D_status
Comment 19 GLSAMaker/CVETool Bot gentoo-dev 2014-01-20 14:11:22 UTC
This issue was resolved and addressed in
 GLSA 201401-14 at http://security.gentoo.org/glsa/glsa-201401-14.xml
by GLSA coordinator Sergey Popov (pinkbyte).