From ekarkkai@pp.htv.fi  Mon Mar  7 18:45:31 2005
Return-Path: <ekarkkai@pp.htv.fi>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id AB5A916A4CE; Mon,  7 Mar 2005 18:45:31 +0000 (GMT)
Received: from smtp1.pp.htv.fi (smtp1.pp.htv.fi [213.243.153.34])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 8401243D39; Mon,  7 Mar 2005 18:45:30 +0000 (GMT)
	(envelope-from ekarkkai@pp.htv.fi)
Received: from cs78133185.pp.htv.fi (cs78133185.pp.htv.fi [62.78.133.185])
	by smtp1.pp.htv.fi (Postfix) with ESMTP id 514AA7FC65;
	Mon,  7 Mar 2005 20:45:29 +0200 (EET)
Received: from thunderbolt.my.domain (thunderbolt.my.domain [10.192.168.30])
	by cs78133185.pp.htv.fi (8.13.1/8.13.1) with ESMTP id j27IjTF7070778;
	Mon, 7 Mar 2005 20:45:29 +0200 (EET)
	(envelope-from ekarkkai@pp.htv.fi)
Received: from thunderbolt.my.domain (localhost [127.0.0.1])
	by thunderbolt.my.domain (8.13.1/8.13.1) with ESMTP id j27IjSFG091356;
	Mon, 7 Mar 2005 20:45:28 +0200 (EET)
	(envelope-from ejk@thunderbolt.my.domain)
Received: (from ejk@localhost)
	by thunderbolt.my.domain (8.13.1/8.13.1/Submit) id j27IjSG6091355;
	Mon, 7 Mar 2005 20:45:28 +0200 (EET)
	(envelope-from ejk)
Message-Id: <200503071845.j27IjSG6091355@thunderbolt.my.domain>
Date: Mon, 7 Mar 2005 20:45:28 +0200 (EET)
From: Esa Karkkainen <ejk@iki.fi>
Reply-To: Esa Karkkainen <ejk@iki.fi>
To: FreeBSD-gnats-submit@freebsd.org
Cc: Esa Karkkainen <ejk@iki.fi>, roam@freebsd.org
Subject: Security update port: ftp/curl from 7.12.3_2 to 7.12.3_3
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         78547
>Category:       ports
>Synopsis:       Security update port: ftp/curl from 7.12.3_2 to 7.12.3_3
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    roam
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          update
>Submitter-Id:   current-users
>Arrival-Date:   Mon Mar 07 18:50:00 GMT 2005
>Closed-Date:    Sat Mar 12 02:38:10 GMT 2005
>Last-Modified:  Sat Mar 12 02:38:10 GMT 2005
>Originator:     Esa Karkkainen
>Release:        FreeBSD 5.3-RELEASE-p3 i386
>Organization:
Is in state of disintegration
>Environment:
System: FreeBSD 5.3-RELEASE-p3 #33: Wed Jan 5 19:01:24 EET 2005
Ports tree cvsupped at Mon Mar  7 19:59:08 2005
>Description:
# portaudit
Affected package: curl-7.12.3_2
Type of problem: curl -- authentication buffer overflow vulnerability.
Reference: <http://www.FreeBSD.org/ports/portaudit/96df5fd0-8900-11d9-aa18-0001020eed82.html>

Fix has been obtained from

http://cool.haxx.se/cvs.cgi/curl/lib/http_ntlm.c.diff?r1=1.36&r2=1.37
>How-To-Repeat:
	cd /usr/ports/ftp/curl && make all
>Fix:

	I've attached fix from cURL CVS below and bumped PORTREVISION
in ports Makefile

diff -ruN /usr/ports/ftp/curl/Makefile curl/Makefile
--- /usr/ports/ftp/curl/Makefile	Tue Dec 21 19:01:02 2004
+++ curl/Makefile	Mon Mar  7 20:30:07 2005
@@ -7,7 +7,7 @@
 
 PORTNAME=	curl
 PORTVERSION=	7.12.3
-PORTREVISION=	2
+PORTREVISION=	3
 CATEGORIES=	ftp ipv6 www
 MASTER_SITES=	http://curl.haxx.se/download/ \
 		${MASTER_SITE_SOURCEFORGE} \
diff -ruN /usr/ports/ftp/curl/files/patch-lib::http_ntlm.c curl/files/patch-lib::http_ntlm.c
--- /usr/ports/ftp/curl/files/patch-lib::http_ntlm.c	Thu Jan  1 02:00:00 1970
+++ curl/files/patch-lib::http_ntlm.c	Mon Mar  7 20:41:50 2005
@@ -0,0 +1,41 @@
+--- lib/http_ntlm.c.orig	Wed Dec  8 01:09:41 2004
++++ lib/http_ntlm.c	Mon Mar  7 20:40:18 2005
+@@ -18,7 +18,7 @@
+  * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+  * KIND, either express or implied.
+  *
+- * $Id: http_ntlm.c,v 1.36 2004/12/07 23:09:41 bagder Exp $
++ * $Id: http_ntlm.c,v 1.37 2005/02/22 07:44:14 bagder Exp $
+  ***************************************************************************/
+ #include "setup.h"
+ 
+@@ -103,7 +103,6 @@
+     header++;
+ 
+   if(checkprefix("NTLM", header)) {
+-    unsigned char buffer[256];
+     header += strlen("NTLM");
+ 
+     while(*header && isspace((int)*header))
+@@ -123,8 +122,12 @@
+          (40)    Target Information  (optional) security buffer(*)
+          32 (48) start of data block
+       */
++      size_t size;
++      unsigned char *buffer = (unsigned char *)malloc(strlen(header));
++      if (buffer == NULL)
++        return CURLNTLM_BAD;
+ 
+-      size_t size = Curl_base64_decode(header, (char *)buffer);
++      size = Curl_base64_decode(header, (char *)buffer);
+ 
+       ntlm->state = NTLMSTATE_TYPE2; /* we got a type-2 */
+ 
+@@ -134,6 +137,7 @@
+ 
+       /* at index decimal 20, there's a 32bit NTLM flag field */
+ 
++      free(buffer);
+     }
+     else {
+       if(ntlm->state >= NTLMSTATE_TYPE1)
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-ports-bugs->roam 
Responsible-Changed-By: vs 
Responsible-Changed-When: Tue Mar 8 10:35:54 GMT 2005 
Responsible-Changed-Why:  
Over to maintainer 

http://www.freebsd.org/cgi/query-pr.cgi?pr=78547 
State-Changed-From-To: open->closed 
State-Changed-By: roam 
State-Changed-When: Sat Mar 12 02:37:32 GMT 2005 
State-Changed-Why:  
I've just updated the port to the invulnerable upstream version 7.13.1. 
Still, thanks for your work and the patch! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=78547 
>Unformatted:
