From $URL : Description Volema has reported a vulnerability in cURL / libcURL, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to a boundary error within the "Curl_sasl_create_digest_md5_message()" function (lib/curl_sasl.c) when negotiating SASL DIGEST-MD5 authentication and can be exploited to cause a stack-based buffer overflow. Successful exploitation may allow execution of arbitrary code but requires tricking a user into connecting to a malicious server. The vulnerability is reported in versions 7.26.0 through 7.28.1. Solution Update to version 7.29.0. Provided and/or discovered by Volema Original Advisory cURL: http://curl.haxx.se/docs/adv_20130206.html Volema http://blog.volema.com/curl-rce.html
I just added 7.29.0 to the tree.
(In reply to comment #1) > I just added 7.29.0 to the tree. Thanks, Anthony. May we proceed to stabilize =net-misc/curl-7.29.0-r1 ?
(In reply to comment #2) > (In reply to comment #1) > > I just added 7.29.0 to the tree. > > Thanks, Anthony. May we proceed to stabilize =net-misc/curl-7.29.0-r1 ? Yes. KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
ppc done
Stable for HPPA.
amd64 stable
arm stable
ppc64 stable
alpha stable
ia64 stable
x86 stable
sparc stable
s390 stable
sh stable
New GLSA draft filed.
CVE-2013-0249 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0249): Stack-based buffer overflow in the Curl_sasl_create_digest_md5_message function in lib/curl_sasl.c in curl and libcurl 7.26.0 through 7.28.1, when negotiating SASL DIGEST-MD5 authentication, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long string in the realm parameter in a (1) POP3, (2) SMTP or (3) IMAP message.
Why is this bug still open? <net-misc/curl-7.29.0-r1 is off the tree and glsa is filed.
(In reply to Anthony Basile from comment #17) > Why is this bug still open? <net-misc/curl-7.29.0-r1 is off the tree and > glsa is filed. Anthony until GLSA is published, the bug needs to stay in GLSA status: https://wiki.gentoo.org/wiki/Project:Security/GLSA_Coordinator_Guide#Bugs_in_.5Bglsa.5D_status
This issue was resolved and addressed in GLSA 201401-14 at http://security.gentoo.org/glsa/glsa-201401-14.xml by GLSA coordinator Sergey Popov (pinkbyte).
