---------------------------------------------------------------------- Secunia integrated with Microsoft WSUS http://secunia.com/blog/71/ ---------------------------------------------------------------------- TITLE: cURL / libcURL Excessive Data Length in Callback Function SECUNIA ADVISORY ID: SA38427 VERIFY ADVISORY: http://secunia.com/advisories/38427/ DESCRIPTION: A security issue has been reported in cURL / libcURL, which can potentially be exploited by malicious people to cause a DoS (Denial of Service) or compromise an application using the library. The security issue is caused due to an error when returning data to the registered callback function for downloading compressed content over HTTP. The library may send back up to 64Kb of data to the callback function, exceeding the documented maximum data size of 16Kb (CURL_MAX_WRITE_SIZE). This can potentially lead to buffer overflows in client applications. NOTE: This only affects zlib-enabled builds where automatic decompression has been enabled (disabled by default). The security issue affects curl and libcurl versions 7.10.5 through 7.19.7. SOLUTION: Update to version 7.20.0 or apply the patch. http://curl.haxx.se/libcurl-contentencoding.patch PROVIDED AND/OR DISCOVERED BY: The vendor credits Wesley Miaw. ORIGINAL ADVISORY: http://curl.haxx.se/docs/adv_20100209.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------