Re: cURL remote PoC for FBSD

[KF <dotslash () snosoft com>]

How about a nice re-wording ... "The most recent overflow in cURL (which dates back about a year or so)"  =] I agree this is a bit dated... but of course some vendors didn't get around to fixing their distros until late 2k or early 2001. 

> The **recent** overflow? You're referring to the buffer overflow reported on
> bugtraq October 13, 2000. I really can't see how this is recent in any way. 

This certainly should pose no immediate threat as you should have had your cURL updated LONG ago. The info on the version number was obtained from an old freebsd advisory I believe... which stated versions prior to 7.4.1 were vulnerable... I will verify this howeve. The exploit was provided simply to prove that it CAN be exploited.   

> I don't believe 7.4 is vulnerable. Did you verify this? All the notes from
> 2000 says the fix is in 7.4.1, but I'll tell you what: the fix is in 7.4
> too... (They were released with just a few hours interval due to some
> mistakes left in the makefiles of the 7.4 release.) 

-KF