COMMAND
curl and curl-ssl
SYSTEMS AFFECTED
Debian (and others?)
PROBLEM
Following is based on a Debian Security Advisory. The version of
curl as distributed with Debian GNU/Linux 2.2 had a bug in the
error logging code: when it created an error message it failed to
check the size of the buffer allocated for storing the message.
This could be exploited by the remote machine by returning an
invalid response to a request from curl which overflows the error
buffer and trick curl into executing arbitrary code.
Debian ships with two versions of curl: the normal curl package,
and the crypto-enabled curl-ssl package.
Daniel Stenberg is the main author of curl and according to him
the information and discussion are accurate, to the point and
describes the problem (even if somewhat unspecific). However,
the most bothering thing is that the described exploit is
*entirely* wrong!
There's a "buffer overflow" example posted in the curl bug report
system that would make a far better (and correct) example of how
to crash curl using the posted flaw.
SOLUTION
This bug has been fixed in curl version 6.0-1.1 and curl-ssl
version 6.0-1.2. Debian recommends you upgrade your curl or
curl-ssl package immediately:
http://security.debian.org/dists/stable/updates/main/source/curl-ssl_6.0-1.2.diff.gz
http://security.debian.org/dists/stable/updates/main/source/curl-ssl_6.0-1.2.dsc
http://security.debian.org/dists/stable/updates/main/source/curl-ssl_6.0.orig.tar.gz
http://security.debian.org/dists/stable/updates/main/binary-alpha/curl-ssl_6.0-1.2_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/curl-ssl_6.0-1.2_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/curl-ssl_6.0-1.2_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/curl-ssl_6.0-1.2_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/curl-ssl_6.0-1.2_sparc.deb
http://security.debian.org/dists/stable/updates/main/source/curl_6.0-1.1.diff.gz
http://security.debian.org/dists/stable/updates/main/source/curl_6.0-1.1.dsc
http://security.debian.org/dists/stable/updates/main/source/curl_6.0.orig.tar.gz
http://security.debian.org/dists/stable/updates/main/binary-alpha/curl_6.0-1.1_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/curl_6.0-1.1_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/curl_6.0-1.1.1_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/curl_6.0-1.1_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/curl_6.0-1.1_sparc.deb
For RedHat:
ftp://updates.redhat.com/powertools/6.2/alpha/curl-7.3-3.6.x.alpha.rpm
ftp://updates.redhat.com/powertools/6.2/alpha/curl-devel-7.3-3.6.x.alpha.rpm
ftp://updates.redhat.com/powertools/6.2/sparc/curl-7.3-3.6.x.sparc.rpm
ftp://updates.redhat.com/powertools/6.2/sparc/curl-devel-7.3-3.6.x.sparc.rpm
ftp://updates.redhat.com/powertools/6.2/i386/curl-7.3-3.6.x.i386.rpm
ftp://updates.redhat.com/powertools/6.2/i386/curl-devel-7.3-3.6.x.i386.rpm
ftp://updates.redhat.com/powertools/6.2/SRPMS/curl-7.3-3.6.x.src.rpm
ftp://updates.redhat.com/powertools/7.0/i386/curl-7.3-4.i386.rpm
ftp://updates.redhat.com/powertools/7.0/i386/curl-devel-7.3-4.i386.rpm
ftp://updates.redhat.com/powertools/7.0/SRPMS/curl-7.3-4.src.rpm
For FreeBSD:
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/ftp/curl-7.4.1.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/ftp/curl-7.4.1.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/ftp/curl-7.4.1.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/ftp/curl-7.4.1.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/ftp/curl-7.4.1.tgz