From owner-freebsd-ports@FreeBSD.ORG  Tue Mar  1 23:16:00 2005
Return-Path: <owner-freebsd-ports@FreeBSD.ORG>
Delivered-To: freebsd-ports@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id C611616A4D0; Tue,  1 Mar 2005 23:16:00 +0000 (GMT)
Received: from ritamari.vonostingroup.com (ip193-230.digitalrealm.net
	[216.144.193.230])	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 45BFE43D49; Tue,  1 Mar 2005 23:16:00 +0000 (GMT)
	(envelope-from laszlof@tvog.net)
Received: from pcp01940037pcs.waldlk01.mi.comcast.net ([68.32.91.204]
	helo=[192.168.1.100])
	by ritamari.vonostingroup.com with esmtpa (Exim 4.44 (FreeBSD))
	id 1D6GcW-000PRR-U3; Tue, 01 Mar 2005 18:17:41 -0500
Message-ID: <4224F82B.3060206@tvog.net>
Date: Tue, 01 Mar 2005 18:18:03 -0500
From: "Frank J. Laszlo" <laszlof@tvog.net>
User-Agent: Mozilla Thunderbird 0.9 (Windows/20041103)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: "Simon L. Nielsen" <simon@FreeBSD.org>
References: <200503011646.22680.freebsd@danielquinn.org>
	<20050301222035.GA822@zaphod.nitro.dk>
In-Reply-To: <20050301222035.GA822@zaphod.nitro.dk>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-AntiAbuse: This header was added to track abuse, please include it with any
	abuse report
X-AntiAbuse: Primary Hostname - ritamari.vonostingroup.com
X-AntiAbuse: Original Domain - freebsd.org
X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [26 6]
X-AntiAbuse: Sender Address Domain - tvog.net
X-Source: 
X-Source-Args: 
X-Source-Dir: 
cc: ports@freebsd.org
cc: daniel quinn <freebsd@danielquinn.org>
Subject: Re: curl -- authentication buffer overflow vulnerability.
X-BeenThere: freebsd-ports@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Porting software to FreeBSD <freebsd-ports.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
	<mailto:freebsd-ports-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports>
List-Post: <mailto:freebsd-ports@freebsd.org>
List-Help: <mailto:freebsd-ports-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
	<mailto:freebsd-ports-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Mar 2005 23:16:01 -0000

Simon L. Nielsen wrote:

>On 2005.03.01 16:46:22 -0500, daniel quinn wrote:
>
>  
>
>>Affected package: curl-7.12.3_2
>>Type of problem: curl -- authentication buffer overflow vulnerability.
>>Reference:
>><http://www.FreeBSD.org/ports/portaudit/96df5fd0-8900-11d9-aa18-0001020eed82.html>
>>    
>>
>[...]
>  
>
>
>>curl's website tells me that version 7.13.1 is available, so i'm thinking
>>this is isolated to freebsd.
>>    
>>
>
>The issue is present on all operating systems which ship curl, not
>just FreeBSD.  The latest version I can find is 7.13.0 which does not
>have the issues fixed yet.
>  
>

Actually, the latest "FreeBSD" version is still 7.12.3. How that is any 
different from the others I have no idea.
Thats probably the last version tested on FreeBSD. (after further 
reading it appears that the version reflected there
is in direct relation to the version in ports.) Also note that the 
vulnerability only exists if you are using NTLM authentication.
There is likely a way to disable this behavior if it is not being used. 
Hope this helps.

Regards,
    Frank laszlo