Martin Pitt
February 28th, 2005, 01:05 PM
================================================== =========
Ubuntu Security Notice USN-86-1 February 28, 2005
curl vulnerability
CAN-2005-0940
================================================== =========
A security issue affects the following Ubuntu releases:
Ubuntu 4.10 (Warty Warthog)
The following packages are affected:
libcurl2
libcurl2-gssapi
The problem can be corrected by upgrading the affected package to
version 7.12.0.is.7.11.2-1ubuntu0.1. In general, a standard system
upgrade is sufficient to effect the necessary changes.
Details follow:
infamous41md discovered a buffer overflow in cURL's NT LAN Manager
(NTLM) authentication handling. By sending a specially crafted long
NTLM reply packet, a remote attacker could overflow the reply buffer.
This could lead to execution of arbitrary attacker specified code with
the privileges of the application using the cURL library.
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.12.0.is.7.11.2-1ubuntu0.1.diff.gz
Size/MD5: 160391 4f1c042b0f375a8d06e0403e5baa3b7e
http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.12.0.is.7.11.2-1ubuntu0.1.dsc
Size/MD5: 707 5ec7fa4228218f3186ad7f41ef1b56eb
http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.12.0.is.7.11.2.orig.tar.gz
Size/MD5: 1435629 25e6617ea7dec34d072426942b77801f
amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.12.0.is.7.11.2-1ubuntu0.1_amd64.deb
Size/MD5: 108602 17f9e77e1a091f5e22024396ab19be5f
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl2-dbg_7.12.0.is.7.11.2-1ubuntu0.1_amd64.deb
Size/MD5: 1043660 1163357a2e57d670326df84ccbe01108
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl2-dev_7.12.0.is.7.11.2-1ubuntu0.1_amd64.deb
Size/MD5: 568022 b91d5f9a6b39b84962840f8f0a552f91
http://security.ubuntu.com/ubuntu/pool/universe/c/curl/libcurl2-gssapi_7.12.0.is.7.11.2-1ubuntu0.1_amd64.deb
Size/MD5: 111892 283edaf68d6a725710ed966a09729fb1
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl2_7.12.0.is.7.11.2-1ubuntu0.1_amd64.deb
Size/MD5: 224598 d5549b89c19484e8b4488a46e4b5b727
i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.12.0.is.7.11.2-1ubuntu0.1_i386.deb
Size/MD5: 107762 dbb0f3404f4955d89e39134c309ba68d
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl2-dbg_7.12.0.is.7.11.2-1ubuntu0.1_i386.deb
Size/MD5: 1028978 6fb4edd748b6b2e92db5cc935fb063cb
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl2-dev_7.12.0.is.7.11.2-1ubuntu0.1_i386.deb
Size/MD5: 556594 31b0848d7a44250a2f3536ead3462a0f
http://security.ubuntu.com/ubuntu/pool/universe/c/curl/libcurl2-gssapi_7.12.0.is.7.11.2-1ubuntu0.1_i386.deb
Size/MD5: 109912 0b5b91da5ca5fc37b1d1e5f04c51962e
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl2_7.12.0.is.7.11.2-1ubuntu0.1_i386.deb
Size/MD5: 222848 77aa777db65b32788cea78fdd1d9ef4d
powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.12.0.is.7.11.2-1ubuntu0.1_powerpc.deb
Size/MD5: 110090 ae4f871f3f6126b1ecf787affe26640c
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl2-dbg_7.12.0.is.7.11.2-1ubuntu0.1_powerpc.deb
Size/MD5: 1052794 4bf356eeaaf1f6af0723cc0c63a4ed57
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl2-dev_7.12.0.is.7.11.2-1ubuntu0.1_powerpc.deb
Size/MD5: 573412 501500cf49764c55476e339e9347cd9a
http://security.ubuntu.com/ubuntu/pool/universe/c/curl/libcurl2-gssapi_7.12.0.is.7.11.2-1ubuntu0.1_powerpc.deb
Size/MD5: 116296 9f6d567b715c1ee08afecc02c8909783
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl2_7.12.0.is.7.11.2-1ubuntu0.1_powerpc.deb
Size/MD5: 229450 1c45a89cb1c4852d1260aa21bcc1f6c0
--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
http://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFCIv/WDecnbV4Fd/IRAkZ2AJ0Ws0h5d9j/2hoigolupvUfaLLFJQCgkDSc
n5CFvicA8CLGh6Pmd98ad0E=
=9h2F
-----END PGP SIGNATURE-----
Ubuntu Security Notice USN-86-1 February 28, 2005
curl vulnerability
CAN-2005-0940
================================================== =========
A security issue affects the following Ubuntu releases:
Ubuntu 4.10 (Warty Warthog)
The following packages are affected:
libcurl2
libcurl2-gssapi
The problem can be corrected by upgrading the affected package to
version 7.12.0.is.7.11.2-1ubuntu0.1. In general, a standard system
upgrade is sufficient to effect the necessary changes.
Details follow:
infamous41md discovered a buffer overflow in cURL's NT LAN Manager
(NTLM) authentication handling. By sending a specially crafted long
NTLM reply packet, a remote attacker could overflow the reply buffer.
This could lead to execution of arbitrary attacker specified code with
the privileges of the application using the cURL library.
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.12.0.is.7.11.2-1ubuntu0.1.diff.gz
Size/MD5: 160391 4f1c042b0f375a8d06e0403e5baa3b7e
http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.12.0.is.7.11.2-1ubuntu0.1.dsc
Size/MD5: 707 5ec7fa4228218f3186ad7f41ef1b56eb
http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.12.0.is.7.11.2.orig.tar.gz
Size/MD5: 1435629 25e6617ea7dec34d072426942b77801f
amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.12.0.is.7.11.2-1ubuntu0.1_amd64.deb
Size/MD5: 108602 17f9e77e1a091f5e22024396ab19be5f
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl2-dbg_7.12.0.is.7.11.2-1ubuntu0.1_amd64.deb
Size/MD5: 1043660 1163357a2e57d670326df84ccbe01108
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl2-dev_7.12.0.is.7.11.2-1ubuntu0.1_amd64.deb
Size/MD5: 568022 b91d5f9a6b39b84962840f8f0a552f91
http://security.ubuntu.com/ubuntu/pool/universe/c/curl/libcurl2-gssapi_7.12.0.is.7.11.2-1ubuntu0.1_amd64.deb
Size/MD5: 111892 283edaf68d6a725710ed966a09729fb1
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl2_7.12.0.is.7.11.2-1ubuntu0.1_amd64.deb
Size/MD5: 224598 d5549b89c19484e8b4488a46e4b5b727
i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.12.0.is.7.11.2-1ubuntu0.1_i386.deb
Size/MD5: 107762 dbb0f3404f4955d89e39134c309ba68d
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl2-dbg_7.12.0.is.7.11.2-1ubuntu0.1_i386.deb
Size/MD5: 1028978 6fb4edd748b6b2e92db5cc935fb063cb
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl2-dev_7.12.0.is.7.11.2-1ubuntu0.1_i386.deb
Size/MD5: 556594 31b0848d7a44250a2f3536ead3462a0f
http://security.ubuntu.com/ubuntu/pool/universe/c/curl/libcurl2-gssapi_7.12.0.is.7.11.2-1ubuntu0.1_i386.deb
Size/MD5: 109912 0b5b91da5ca5fc37b1d1e5f04c51962e
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl2_7.12.0.is.7.11.2-1ubuntu0.1_i386.deb
Size/MD5: 222848 77aa777db65b32788cea78fdd1d9ef4d
powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.12.0.is.7.11.2-1ubuntu0.1_powerpc.deb
Size/MD5: 110090 ae4f871f3f6126b1ecf787affe26640c
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl2-dbg_7.12.0.is.7.11.2-1ubuntu0.1_powerpc.deb
Size/MD5: 1052794 4bf356eeaaf1f6af0723cc0c63a4ed57
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl2-dev_7.12.0.is.7.11.2-1ubuntu0.1_powerpc.deb
Size/MD5: 573412 501500cf49764c55476e339e9347cd9a
http://security.ubuntu.com/ubuntu/pool/universe/c/curl/libcurl2-gssapi_7.12.0.is.7.11.2-1ubuntu0.1_powerpc.deb
Size/MD5: 116296 9f6d567b715c1ee08afecc02c8909783
http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl2_7.12.0.is.7.11.2-1ubuntu0.1_powerpc.deb
Size/MD5: 229450 1c45a89cb1c4852d1260aa21bcc1f6c0
--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
http://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFCIv/WDecnbV4Fd/IRAkZ2AJ0Ws0h5d9j/2hoigolupvUfaLLFJQCgkDSc
n5CFvicA8CLGh6Pmd98ad0E=
=9h2F
-----END PGP SIGNATURE-----