| Summary: | net-misc/curl: buffer overflow vulnerability | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Carsten Lohrke (RETIRED) <carlo> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED DUPLICATE | ||
| Severity: | normal | CC: | liquidx |
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
Remote exploitation of a buffer overflow vulnerability in multiple vendor's implementations of curl and wget allows attackers to execute arbitrary code. The vulnerability specifically exists due to insufficent bounds checking on user-supplied data supplied to a memory copy operation. The memcpy() of the supplied ntlm username to ntlmbuf shown below results in a stack overflow: http-ntlm.c in ntlm_output() on line 532: /* size is now 64 */ size=64; ntlmbuf[62]=ntlmbuf[63]=0; memcpy(&ntlmbuf[size], domain, domlen); size += domlen; memcpy(&ntlmbuf[size], usr, userlen); size += userlen; The resulting stack overflow can be leveraged to gain arbitrary code execution with user privileges. http://www.mail-archive.com/wget%40sunsite.dk/msg08294.html