[Bug 1707214] Re: libcurl3 crashes when reusing handle with proxy NTLM authentication
Edward Thomson
ethomson at edwardthomson.com
Thu Oct 19 10:13:29 UTC 2017
I was pleased to see that there was a new trusty-updates package for
curl that fixes a number of out-of-bounds reads!
And I was immediately disappointed that it didn't fix _this_ set of out-
of-bounds reads.
Alas.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to curl in Ubuntu.
https://bugs.launchpad.net/bugs/1707214
Title:
libcurl3 crashes when reusing handle with proxy NTLM authentication
Status in curl package in Ubuntu:
New
Bug description:
The package libcurl3-7.35.0 on Ubuntu Trusty crashes when reusing a
curl handle and turning on proxy NTLM authentication. The libgit2
project is repeatedly hitting this issue on the new Travis CI
container infrastructure, which they have recently updated to make use
of Ubuntu Trusty.
This issue stems from the backported fix to CVE-2016-0755 (NTLM: Fix
ConnectionExists to compare Proxy credentials), which introduces a
null-pointer exception when one of the proxy credentials is `NULL`.
The issue has already been fixed upstream in commit
fa5fa65a309f352284e58f52183d586886eb17ea, which should be backported
to fix the segfault. See the attached patch from Isaac Boukris.
Please consider including this patch to fix the fix for CVE-2016-0755.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/curl/+bug/1707214/+subscriptions
More information about the foundations-bugs
mailing list