__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN libcurl Vulnerability [Red Hat Security Advisory RHSA-2005:807] November 2, 2005 18:00 GMT Number Q-039 [REVISED 29 Nov 2005] [REVISED 12 Dec 2005] ______________________________________________________________________________ PROBLEM: A security vulnerability was discovered in products that use libcurl when NTLM authentication is enabled. PLATFORM: Red Hat Desktop (v. 3, v. 4) Red Hat Enterprise Linux AS, ES, WS (v. 2.1, v. 3, v. 4) Red Hat Linux Advanced Workstation 2.1 for Itanium Processor SGI ProPack 3 Service Pack 6 for SGI Altix family of systems Debian GNU/Linux 3.0 alias woody Debian GNU/Linux 3.1 alias sarge DAMAGE: Stack-based buffer overflow in the ntlm_output function in http-ntlm.c for products that use libcurl, when NTLM authentication is enabled, allows remote servers to execute arbitrary code via a long NTLM username. SOLUTION: Apply the available security updates. ______________________________________________________________________________ VULNERABILITY The risk is LOW. Exploiting this vulnerability allows a remote ASSESSMENT: attacker to execute arbitrary code via a long NTLM username. A user must be tricked into connecting to a malicious web server using NTLM authentication. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/q-039.shtml ORIGINAL BULLETIN: https://rhn.redhat.com/errata/RHSA-2005-807.html ADDITIONAL LINKS: https://rhn.redhat.com/errata/RHSA-2005-812.html SGI Security Advisory Update #51, Number 20051101-01-U ftp://patches.sgi.com/support/free/security/advisories/20051101-01-U.asc Debian Security Advisory DSA-919-1 http://www.debian.org/security/2005/dsa-919 CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2005-3185 ______________________________________________________________________________ REVISION HISTORY: 11/29/2005 - added a link SGI Advanced Linux Environment 3 Security Update #51 (#20051101-01-U) that provides Patch 10242 for SGI ProPack 3 Service Pack 6. 12/12/2005 - added a link to Debian Security Advisory DSA-919-1 for Debian GNU/Linux 3.0 alias woody and Debian GNU/Linux 3.1 alias sarge. [***** Start Red Hat Security Advisory RHSA-2005:807 *****] Moderate: curl security update Advisory: RHSA-2005:807-6 Type: Security Advisory Issued on: 2005-11-02 Last updated on: 2005-11-02 Affected Products: Red Hat Desktop (v. 3) Red Hat Desktop (v. 4) Red Hat Enterprise Linux AS (v. 3) Red Hat Enterprise Linux AS (v. 4) Red Hat Enterprise Linux ES (v. 3) Red Hat Enterprise Linux ES (v. 4) Red Hat Enterprise Linux WS (v. 3) Red Hat Enterprise Linux WS (v. 4) CVEs (cve.mitre.org): CVE-2005-3185 Details Updated curl packages that fix a security issue are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. cURL is a tool for getting files from FTP, HTTP, Gopher, Telnet, and Dict servers, using any of the supported protocols. A stack based buffer overflow bug was found in cURL's NTLM authentication module. It is possible to execute arbitrary code on a user's machine if the user can be tricked into connecting to a malicious web server using NTLM authentication. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-3185 to this issue. All users of curl are advised to upgrade to these updated packages, which contain a backported patch that resolve this issue. Solution Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via Red Hat Network. To use Red Hat Network, launch the Red Hat Update Agent with the following command: up2date This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. Updated packages Red Hat Desktop (v. 3) ------------------------------------------------------------------------------- - SRPMS: curl-7.10.6-7.rhel3.src.rpm 1b0d0a36924e60bf0c6ef75974c04ca8 IA-32: curl-7.10.6-7.rhel3.i386.rpm ecfce4eee3ede7414af9419bb857a663 curl-devel-7.10.6-7.rhel3.i386.rpm 70ad959c7f566c2145d6024845d3a78f x86_64: curl-7.10.6-7.rhel3.i386.rpm ecfce4eee3ede7414af9419bb857a663 curl-7.10.6-7.rhel3.x86_64.rpm 8646b2ff68f5f1ee2cc1ff5da875e7c7 curl-devel-7.10.6-7.rhel3.x86_64.rpm 65db40cfdfc676fd1a12c0b6bfae699a Red Hat Desktop (v. 4) ------------------------------------------------------------------------------- - SRPMS: curl-7.12.1-6.rhel4.src.rpm 354e2083a66997cc4f868b08f049798e IA-32: curl-7.12.1-6.rhel4.i386.rpm 7932c8695503fdf03165952b4c5ded91 curl-devel-7.12.1-6.rhel4.i386.rpm 0bab280280fa3770e00b88cf34dab80e x86_64: curl-7.12.1-6.rhel4.i386.rpm 7932c8695503fdf03165952b4c5ded91 curl-7.12.1-6.rhel4.x86_64.rpm dc308198a4f9c9e5477911096a5e65de curl-devel-7.12.1-6.rhel4.x86_64.rpm 6cc5d58957f9ddb9fef20c6201fe4e33 Red Hat Enterprise Linux AS (v. 3) ------------------------------------------------------------------------------- - SRPMS: curl-7.10.6-7.rhel3.src.rpm 1b0d0a36924e60bf0c6ef75974c04ca8 IA-32: curl-7.10.6-7.rhel3.i386.rpm ecfce4eee3ede7414af9419bb857a663 curl-devel-7.10.6-7.rhel3.i386.rpm 70ad959c7f566c2145d6024845d3a78f IA-64: curl-7.10.6-7.rhel3.i386.rpm ecfce4eee3ede7414af9419bb857a663 curl-7.10.6-7.rhel3.ia64.rpm 199d6a6f2e21733a86ed346b2cbe089f curl-devel-7.10.6-7.rhel3.ia64.rpm 0b95f082281ae4d9d460281b39b46aa0 PPC: curl-7.10.6-7.rhel3.ppc.rpm 77a1836af930e5326110ee8690317901 curl-7.10.6-7.rhel3.ppc64.rpm 908d24e3cbc7d08036d43733d7ae2022 curl-devel-7.10.6-7.rhel3.ppc.rpm 0fc4b76591d36237efc18d58bb1566ec s390: curl-7.10.6-7.rhel3.s390.rpm 7ade82b95dae4bc22e4030731ffbc641 curl-devel-7.10.6-7.rhel3.s390.rpm 1ceb1c3662fb96ea90ebda1c46df2706 s390x: curl-7.10.6-7.rhel3.s390.rpm 7ade82b95dae4bc22e4030731ffbc641 curl-7.10.6-7.rhel3.s390x.rpm b246e88f93093cb48eb1a86a8b80fe71 curl-devel-7.10.6-7.rhel3.s390x.rpm aa34b35194bba528ed3b2c066b709508 x86_64: curl-7.10.6-7.rhel3.i386.rpm ecfce4eee3ede7414af9419bb857a663 curl-7.10.6-7.rhel3.x86_64.rpm 8646b2ff68f5f1ee2cc1ff5da875e7c7 curl-devel-7.10.6-7.rhel3.x86_64.rpm 65db40cfdfc676fd1a12c0b6bfae699a Red Hat Enterprise Linux AS (v. 4) ------------------------------------------------------------------------------- - SRPMS: curl-7.12.1-6.rhel4.src.rpm 354e2083a66997cc4f868b08f049798e IA-32: curl-7.12.1-6.rhel4.i386.rpm 7932c8695503fdf03165952b4c5ded91 curl-devel-7.12.1-6.rhel4.i386.rpm 0bab280280fa3770e00b88cf34dab80e IA-64: curl-7.12.1-6.rhel4.i386.rpm 7932c8695503fdf03165952b4c5ded91 curl-7.12.1-6.rhel4.ia64.rpm 07c388d071c757bbc7333538f3258ea3 curl-devel-7.12.1-6.rhel4.ia64.rpm 1009a4b23eccdf737d123cd073000d57 PPC: curl-7.12.1-6.rhel4.ppc.rpm bbb86cd7e5976de2a7784c32db0e4233 curl-7.12.1-6.rhel4.ppc64.rpm f12164cdc06758194f8c5c7893a63836 curl-devel-7.12.1-6.rhel4.ppc.rpm e410212395e7af4797aae342bdf1a590 s390: curl-7.12.1-6.rhel4.s390.rpm cc8e0c6478a8af638c61e406ddafbaaa curl-devel-7.12.1-6.rhel4.s390.rpm 61b6e8d9e57dcf391b202bb81db6955b s390x: curl-7.12.1-6.rhel4.s390.rpm cc8e0c6478a8af638c61e406ddafbaaa curl-7.12.1-6.rhel4.s390x.rpm 5c79c8a8422d02e326f9b3654fd6805c curl-devel-7.12.1-6.rhel4.s390x.rpm e5c6bb0ff192c70f77557235b9791c96 x86_64: curl-7.12.1-6.rhel4.i386.rpm 7932c8695503fdf03165952b4c5ded91 curl-7.12.1-6.rhel4.x86_64.rpm dc308198a4f9c9e5477911096a5e65de curl-devel-7.12.1-6.rhel4.x86_64.rpm 6cc5d58957f9ddb9fef20c6201fe4e33 Red Hat Enterprise Linux ES (v. 3) ------------------------------------------------------------------------------- - SRPMS: curl-7.10.6-7.rhel3.src.rpm 1b0d0a36924e60bf0c6ef75974c04ca8 IA-32: curl-7.10.6-7.rhel3.i386.rpm ecfce4eee3ede7414af9419bb857a663 curl-devel-7.10.6-7.rhel3.i386.rpm 70ad959c7f566c2145d6024845d3a78f IA-64: curl-7.10.6-7.rhel3.i386.rpm ecfce4eee3ede7414af9419bb857a663 curl-7.10.6-7.rhel3.ia64.rpm 199d6a6f2e21733a86ed346b2cbe089f curl-devel-7.10.6-7.rhel3.ia64.rpm 0b95f082281ae4d9d460281b39b46aa0 x86_64: curl-7.10.6-7.rhel3.i386.rpm ecfce4eee3ede7414af9419bb857a663 curl-7.10.6-7.rhel3.x86_64.rpm 8646b2ff68f5f1ee2cc1ff5da875e7c7 curl-devel-7.10.6-7.rhel3.x86_64.rpm 65db40cfdfc676fd1a12c0b6bfae699a Red Hat Enterprise Linux ES (v. 4) ------------------------------------------------------------------------------- - SRPMS: curl-7.12.1-6.rhel4.src.rpm 354e2083a66997cc4f868b08f049798e IA-32: curl-7.12.1-6.rhel4.i386.rpm 7932c8695503fdf03165952b4c5ded91 curl-devel-7.12.1-6.rhel4.i386.rpm 0bab280280fa3770e00b88cf34dab80e IA-64: curl-7.12.1-6.rhel4.i386.rpm 7932c8695503fdf03165952b4c5ded91 curl-7.12.1-6.rhel4.ia64.rpm 07c388d071c757bbc7333538f3258ea3 curl-devel-7.12.1-6.rhel4.ia64.rpm 1009a4b23eccdf737d123cd073000d57 x86_64: curl-7.12.1-6.rhel4.i386.rpm 7932c8695503fdf03165952b4c5ded91 curl-7.12.1-6.rhel4.x86_64.rpm dc308198a4f9c9e5477911096a5e65de curl-devel-7.12.1-6.rhel4.x86_64.rpm 6cc5d58957f9ddb9fef20c6201fe4e33 Red Hat Enterprise Linux WS (v. 3) ------------------------------------------------------------------------------- - SRPMS: curl-7.10.6-7.rhel3.src.rpm 1b0d0a36924e60bf0c6ef75974c04ca8 IA-32: curl-7.10.6-7.rhel3.i386.rpm ecfce4eee3ede7414af9419bb857a663 curl-devel-7.10.6-7.rhel3.i386.rpm 70ad959c7f566c2145d6024845d3a78f IA-64: curl-7.10.6-7.rhel3.i386.rpm ecfce4eee3ede7414af9419bb857a663 curl-7.10.6-7.rhel3.ia64.rpm 199d6a6f2e21733a86ed346b2cbe089f curl-devel-7.10.6-7.rhel3.ia64.rpm 0b95f082281ae4d9d460281b39b46aa0 x86_64: curl-7.10.6-7.rhel3.i386.rpm ecfce4eee3ede7414af9419bb857a663 curl-7.10.6-7.rhel3.x86_64.rpm 8646b2ff68f5f1ee2cc1ff5da875e7c7 curl-devel-7.10.6-7.rhel3.x86_64.rpm 65db40cfdfc676fd1a12c0b6bfae699a Red Hat Enterprise Linux WS (v. 4) ------------------------------------------------------------------------------- - SRPMS: curl-7.12.1-6.rhel4.src.rpm 354e2083a66997cc4f868b08f049798e IA-32: curl-7.12.1-6.rhel4.i386.rpm 7932c8695503fdf03165952b4c5ded91 curl-devel-7.12.1-6.rhel4.i386.rpm 0bab280280fa3770e00b88cf34dab80e IA-64: curl-7.12.1-6.rhel4.i386.rpm 7932c8695503fdf03165952b4c5ded91 curl-7.12.1-6.rhel4.ia64.rpm 07c388d071c757bbc7333538f3258ea3 curl-devel-7.12.1-6.rhel4.ia64.rpm 1009a4b23eccdf737d123cd073000d57 x86_64: curl-7.12.1-6.rhel4.i386.rpm 7932c8695503fdf03165952b4c5ded91 curl-7.12.1-6.rhel4.x86_64.rpm dc308198a4f9c9e5477911096a5e65de curl-devel-7.12.1-6.rhel4.x86_64.rpm 6cc5d58957f9ddb9fef20c6201fe4e33 (The unlinked packages above are only available from the Red Hat Network) Bugs fixed (see bugzilla for more information) 170678 - CAN-2005-3185 NTLM buffer overflow References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3185 ------------------------------------------------------------------------------- - These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from: https://www.redhat.com/security/team/key/#package The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/ [***** End Red Hat Security Advisory RHSA-2005:807 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Red Hat for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) Q-030: Multiple Problems in Ethereal Versions 0.7.7 to 0.10.12 Q-031: Eric Q-032: Sudo Q-033: Libgda2 Q-034: Red Hat Kernel Security Update Q-035: PAM Security Update Q-036: Solaris Management Console Enables TRACE HTTP by Default Q-037: Apple OS X 10.4.3 Security Update Q-038: Cisco IOS Heap-based Overflow Vulnerability in System Timers