package/libcurl/libcurl-cve-2013-0249.patch - buildroot - Git at Google

 From ee45a34907ffeb5fd95b0513040d8491d565b663 Mon Sep 17 00:00:00 2001
 From: Eldar Zaitov <kyprizel@volema.com>
 Date: Wed, 30 Jan 2013 23:22:27 +0100
 Subject: [PATCH] Curl_sasl_create_digest_md5_message: fix buffer overflow

 When negotiating SASL DIGEST-MD5 authentication, the function
 Curl_sasl_create_digest_md5_message() uses the data provided from the
 server without doing the proper length checks and that data is then
 appended to a local fixed-size buffer on the stack.

 This vulnerability can be exploited by someone who is in control of a
 server that a libcurl based program is accessing with POP3, SMTP or
 IMAP. For applications that accept user provided URLs, it is also
 thinkable that a malicious user would feed an application with a URL to
 a server hosting code targetting this flaw.

 Bug: http://curl.haxx.se/docs/adv_20130206.html
 ---
  lib/curl_sasl.c |   23 ++++++-----------------
  1 file changed, 6 insertions(+), 17 deletions(-)

 diff --git a/lib/curl_sasl.c b/lib/curl_sasl.c
 index 57116b6..d07387d 100644
 --- a/lib/curl_sasl.c
 +++ b/lib/curl_sasl.c
 @@ -346,9 +346,7 @@ CURLcode Curl_sasl_create_digest_md5_message(struct SessionHandle *data,
      snprintf(&HA1_hex[2 * i], 3, "%02x", digest[i]);

    /* Prepare the URL string */
 -  strcpy(uri, service);
 -  strcat(uri, "/");
 -  strcat(uri, realm);
 +  snprintf(uri, sizeof(uri), "%s/%s", service, realm);

    /* Calculate H(A2) */
    ctxt = Curl_MD5_init(Curl_DIGEST_MD5);
 @@ -392,20 +390,11 @@ CURLcode Curl_sasl_create_digest_md5_message(struct SessionHandle *data,
    for(i = 0; i < MD5_DIGEST_LEN; i++)
      snprintf(&resp_hash_hex[2 * i], 3, "%02x", digest[i]);

 -  strcpy(response, "username=\"");
 -  strcat(response, userp);
 -  strcat(response, "\",realm=\"");
 -  strcat(response, realm);
 -  strcat(response, "\",nonce=\"");
 -  strcat(response, nonce);
 -  strcat(response, "\",cnonce=\"");
 -  strcat(response, cnonce);
 -  strcat(response, "\",nc=");
 -  strcat(response, nonceCount);
 -  strcat(response, ",digest-uri=\"");
 -  strcat(response, uri);
 -  strcat(response, "\",response=");
 -  strcat(response, resp_hash_hex);
 +  snprintf(response, sizeof(response),
 +           "username=\"%s\",realm=\"%s\",nonce=\"%s\","
 +           "cnonce=\"%s\",nc=\"%s\",digest-uri=\"%s\",response=%s",
 +           userp, realm, nonce,
 +           cnonce, nonceCount, uri, resp_hash_hex);

    /* Base64 encode the reply */
    return Curl_base64_encode(data, response, 0, outptr, outlen);
 --
 1.7.10.4
	From ee45a34907ffeb5fd95b0513040d8491d565b663 Mon Sep 17 00:00:00 2001
	From: Eldar Zaitov <kyprizel@volema.com>
	Date: Wed, 30 Jan 2013 23:22:27 +0100
	Subject: [PATCH] Curl_sasl_create_digest_md5_message: fix buffer overflow

	When negotiating SASL DIGEST-MD5 authentication, the function
	Curl_sasl_create_digest_md5_message() uses the data provided from the
	server without doing the proper length checks and that data is then
	appended to a local fixed-size buffer on the stack.

	This vulnerability can be exploited by someone who is in control of a
	server that a libcurl based program is accessing with POP3, SMTP or
	IMAP. For applications that accept user provided URLs, it is also
	thinkable that a malicious user would feed an application with a URL to
	a server hosting code targetting this flaw.

	Bug: http://curl.haxx.se/docs/adv_20130206.html
	---
	lib/curl_sasl.c \| 23 ++++++-----------------
	1 file changed, 6 insertions(+), 17 deletions(-)

	diff --git a/lib/curl_sasl.c b/lib/curl_sasl.c
	index 57116b6..d07387d 100644
	--- a/lib/curl_sasl.c
	+++ b/lib/curl_sasl.c
	@@ -346,9 +346,7 @@ CURLcode Curl_sasl_create_digest_md5_message(struct SessionHandle *data,
	snprintf(&HA1_hex[2 * i], 3, "%02x", digest[i]);

	/* Prepare the URL string */
	- strcpy(uri, service);
	- strcat(uri, "/");
	- strcat(uri, realm);
	+ snprintf(uri, sizeof(uri), "%s/%s", service, realm);

	/* Calculate H(A2) */
	ctxt = Curl_MD5_init(Curl_DIGEST_MD5);
	@@ -392,20 +390,11 @@ CURLcode Curl_sasl_create_digest_md5_message(struct SessionHandle *data,
	for(i = 0; i < MD5_DIGEST_LEN; i++)
	snprintf(&resp_hash_hex[2 * i], 3, "%02x", digest[i]);

	- strcpy(response, "username=\"");
	- strcat(response, userp);
	- strcat(response, "\",realm=\"");
	- strcat(response, realm);
	- strcat(response, "\",nonce=\"");
	- strcat(response, nonce);
	- strcat(response, "\",cnonce=\"");
	- strcat(response, cnonce);
	- strcat(response, "\",nc=");
	- strcat(response, nonceCount);
	- strcat(response, ",digest-uri=\"");
	- strcat(response, uri);
	- strcat(response, "\",response=");
	- strcat(response, resp_hash_hex);
	+ snprintf(response, sizeof(response),
	+ "username=\"%s\",realm=\"%s\",nonce=\"%s\","
	+ "cnonce=\"%s\",nc=\"%s\",digest-uri=\"%s\",response=%s",
	+ userp, realm, nonce,
	+ cnonce, nonceCount, uri, resp_hash_hex);

	/* Base64 encode the reply */
	return Curl_base64_encode(data, response, 0, outptr, outlen);
	--
	1.7.10.4