Remote exploitation of a buffer overflow vulnerability in multiple vendor's implementations of curl and wget allows attackers to execute arbitrary code. The vulnerability specifically exists due to insufficent bounds checking on user-supplied data supplied to a memory copy operation. The memcpy() of the supplied ntlm username to ntlmbuf shown below results in a stack overflow.
seemant, liquidx: this is theorically confidential but has been leaked, so we should open this bug soon. Feel free to commit fixes to Portage directly, referencing this bug.
Created attachment 70533 [details, diff] libcurl-ntlmbuf.patch Patch from Daniel Stenberg (curl team)
*** Bug 109123 has been marked as a duplicate of this bug. ***
I guess this is completely public now :)
Ouch, didn't see this bug... The stable wget version doesn't support ntlm auth, is therefore not affected.
This is CAN-2005-3185
wget is done. curl still needs some lovin' vapier, solar, dragonheart: got time for some security patching ?
k- I'm working on it. Seems to have some pecular backards compatibility cruft that needs cleaning. When I commit it I wouldn't mind someone having a review.
Commited curl-7.15.0 currently masked I had some gcc-3.4.4 (hardened x86 and ppc) troubles - self tests 253 and 255 failed with smashing stack attack. emerge Portage 2.0.53_rc3 (hardened/x86/2.6, gcc-3.4.4, glibc-2.3.5-r1, 2.6.12-gentoo-r6 i686) ================================================================= System uname: 2.6.12-gentoo-r6 i686 AMD Athlon(tm) XP 1900+ Gentoo Base System version 1.6.13 distcc 2.18.3 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled] ccache version 2.3 [disabled] dev-lang/python: 2.3.5-r2 sys-apps/sandbox: 1.2.13 sys-devel/autoconf: 2.13, 2.59-r6 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1 sys-devel/binutils: 2.16.1 sys-devel/libtool: 1.5.18-r1 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-march=athlon-xp -O2 -pipe" CHOST="i686-pc-linux-gnu" dan@frog /var/tmp/portage/curl-7.15.0/work/curl-7.15.0/tests $ ./runtests.pl 253 ********* System characteristics ******** * curl 7.15.0 (i686-pc-linux-gnu) * libcurl/7.15.0 GnuTLS/1.2.4 zlib/1.1.4 libidn/0.5.15 * Features: IDN IPv6 Largefile SSL libz * Host: frog * System: Linux frog 2.6.12-gentoo-r6 #1 Wed Jul 27 18:38:45 EST 2005 i686 AMD Athlon(tm) XP 1900+ AuthenticAMD GNU/Linux * Server SSL: ON * libcurl SSL: ON * libcurl debug: OFF * valgrind: OFF * HTTP IPv6 ON * FTP IPv6 ON * HTTP port: 8990 * FTP port: 8992 * FTP port 2: 8995 * HTTPS port: 8991 * HTTP IPv6 port: 8994 * FTP IPv6 port: 8996 * TFTP port: 8997 * SSL library: GnuTLS ***************************************** test 253...[FTP IPv6 dir list with EPRT] sh: line 1: 31666 Aborted ../src/curl --output log/curl253.out --include -v --trace-time -g "ftp://[::1]:8996/" -P - >>log/stdout253 2>>log/stderr253 data FAILED: --- log/check-expected 2005-10-16 01:03:54.000000000 +1000 +++ log/check-generated 2005-10-16 01:03:54.000000000 +1000 @@ -1,11 +0,0 @@ -total 20 -drwxr-xr-x 8 98 98 512 Oct 22 13:06 . -drwxr-xr-x 8 98 98 512 Oct 22 13:06 .. -drwxr-xr-x 2 98 98 512 May 2 1996 .NeXT --r--r--r-- 1 0 1 35 Jul 16 1996 README -lrwxrwxrwx 1 0 1 7 Dec 9 1999 bin -> usr/bin -dr-xr-xr-x 2 0 1 512 Oct 1 1997 dev -drwxrwxrwx 2 98 98 512 May 29 16:04 download.html -dr-xr-xr-x 2 0 1 512 Nov 30 1995 etc -drwxrwxrwx 2 98 1 512 Oct 30 14:33 pub -dr-xr-xr-x 5 0 1 512 Oct 1 1997 usr - abort tests TESTDONE: 0 tests out of 1 reported OK: 0% TESTFAIL: These test cases failed: 253 TESTDONE: 1 tests were considered during 3 seconds. dan@frog /var/tmp/portage/curl-7.15.0/work/curl-7.15.0/tests $ more log/ check-expected curl.log server.input sockdataipv6.log stdout253 check-generated ftpd.log sockctrlipv6.log stderr253 verifyftp dan@frog /var/tmp/portage/curl-7.15.0/work/curl-7.15.0/tests $ more log/stderr253 01:03:54.593324 * About to connect() to ::1 port 8996 01:03:54.593530 * Trying ::1... connected 01:03:54.595141 * Connected to ::1 (::1) port 8996 01:03:54.595210 < 220- _ _ ____ _ 01:03:54.595253 < 220- ___| | | | _ \| | 01:03:54.595294 < 220- / __| | | | |_) | | 01:03:54.595335 < 220- | (__| |_| | _ <| |___ 01:03:54.595377 < 220 \___|\___/|_| \_\_____| 01:03:54.596147 > USER anonymous 01:03:54.596231 < 331 We are happy you popped in! 01:03:54.596935 > PASS curl_by_daniel@haxx.se 01:03:54.597016 < 230 Welcome you silly person 01:03:54.597681 > PWD 01:03:54.597761 < 257 "/nowhere/anywhere" is current directory 01:03:54.597810 * Entry path is '/nowhere/anywhere' 01:03:54.603018 > EPRT |2|::1|33924| 01:03:54.603111 < 200 Thanks for dropping by. We contact you later 01:03:54.603162 * Connect data stream actively 01:03:54.603887 > TYPE A 01:03:54.603969 < 200 I modify TYPE as you wanted 01:03:54.607410 > LIST 01:03:54.607500 < 150 here comes a directory 01:03:54.607607 * Connection accepted from server lt-curl: stack smashing attack in function AllowServerConnect() Needs to be fixed before AT as some 3.4.4 gccs are stable. AT - as you see from the below you have the option of: add net-dns/c-ares with your keyword or use.masking ares net-misc/stunnel is used in 7 self tests that are fairly good. It isn't required though. DEPEND.bad 8 net-misc/curl/curl-7.15.0.ebuild: ~alpha(default-linux/alpha/2005.0) ['net-dns/c-ares'] net-misc/curl/curl-7.15.0.ebuild: ~arm(default-linux/arm/2004.3) ['net-dns/c-ares'] net-misc/curl/curl-7.15.0.ebuild: ~hppa(default-linux/hppa/2004.3) ['net-dns/c-ares'] net-misc/curl/curl-7.15.0.ebuild: ~ia64(default-linux/ia64/2005.0) [ 'net-dns/c-ares'] net-misc/curl/curl-7.15.0.ebuild: ~mips(default-linux/mips/2004.2) ['net-dns/c-ares'] net-misc/curl/curl-7.15.0.ebuild: ~ppc64(default-linux/ppc64/2005.0) ['net-dns/c-ares'] net-misc/curl/curl-7.15.0.ebuild: ~s390(default-linux/s390/2004.3) ['net-dns/c-ares'] net-misc/curl/curl-7.15.0.ebuild: ~sparc(default-linux/sparc/sparc64/2005.1) ['net-dns/c-ares'] RDEPEND.bad 8 net-misc/curl/curl-7.15.0.ebuild: ~alpha(default-linux/alpha/2005.0) ['net-dns/c-ares'] net-misc/curl/curl-7.15.0.ebuild: ~arm(default-linux/arm/2004.3) ['net-dns/c-ares'] net-misc/curl/curl-7.15.0.ebuild: ~hppa(default-linux/hppa/2004.3) ['net-dns/c-ares'] net-misc/curl/curl-7.15.0.ebuild: ~ia64(default-linux/ia64/2005.0) ['net-dns/c-ares'] net-misc/curl/curl-7.15.0.ebuild: ~mips(default-linux/mips/2004.2) ['net-dns/c-ares'] net-misc/curl/curl-7.15.0.ebuild: ~ppc64(default-linux/ppc64/2005.0) ['net-dns/c-ares'] net-misc/curl/curl-7.15.0.ebuild: ~s390(default-linux/s390/2004.3) ['net-dns/c-ares'] net-misc/curl/curl-7.15.0.ebuild: ~sparc(default-linux/sparc/sparc64/2005.1) ['net-dns/c-ares'] note for glsa: put revdep-rebuild fix instructions to be sure
if no proper solution can be found: append-flags -fno-stack-protector works.
Hardened peoples - any chance of a proper fix? Fails with: gcc (GCC) 3.4.4 (Gentoo Hardened 3.4.4-r1, HTB-3.4.4-1.00, ssp-3.4.4-1.0, pie-8.7.8) Works with: gcc (GCC) 3.3.5 (Gentoo Linux 3.3.5-r1, ssp-3.3.2-3, pie-8.7.7.1) curl-7.15.0/lib/ftp.c -> stack smashing attack in function AllowServerConnect()
The guts of testcase 253 start dummy server /var/tmp/portage/curl-7.15.0/work/curl-7.15.0/tests $ make test chmod ugo+x ftpserver.pl ./ftpserver.pl --pidfile .ftp6.pid -s . --ipv6 --port 8996 start curl test: /var/tmp/portage/curl-7.15.0/work/curl-7.15.0/tests $ env LD_LIBRARY_PATH=../lib/.libs/ gdb --args ../src/.libs/curl --output log/curl253.out --include -v --trace-time -g "ftp://[::1]:8996/" -P - For details of another failed test 1. Get the server command and client command strace -fe trace=process ./runtests.pl 2. Run server 3. run client in gdb 4. look in log directory: contains outputs.
dragonheart: since it's not a regression (it was already failing in past versions) please unmask it so that we call for arch testing...
unmasked and ready for keywording. Most self tests work except detailed above (these failed in previous versions).
note: net-dns/c-ares will probably require keywording too.
Currently the curl ebuild seems to only supports c-ares on x86 for some reason (not sure the decision behind this). Also are us arch monkeys just keywording some version of curl now or also some version of wget as well?
yes if someone can cite specific versions I'd be happy to keyword for ppc64
both wget and curl done on x86
Ok, let me see... There is no "need" to mark any wget stable, since only the ~ version (1.10.*) was vulnerable to this. But of course you can mark 1.10.2 stable if you want to. For curl, you need to mark stable the following : - net-misc/curl-7.15.0 - some net-dns/c-ares version in order to solve the c-ares dep.
Stable on hppa (thanks to hansmi for fixing curl) and ppc (tested by hansmi).
Marked net-misc/curl-7.15.0 ppc64 stable and marked c-ares-1.2.1-r1 ~ppc64
sparc stable.
net-misc/curl-7.15.0 and c-ares-1.2.0 (as dep) are now marked "stable" on alpha. Alpha Done.
amd64 done curl-7.15.0 and c-ares-1.2.1-r1
curl-7.15.0 stable on mips. I've masked the ares USE flag on mips for the time being as I don't really feel comfortable marking it stable for mips when there were previously no mips keywords.
GLSA 200510-19 arm, ia64 and s390 should mark stable to benefit from GLSA ppc-macos should mark ~
marked curl-7.15.0 and c-ares-1.3.0 ~ppc-macos
