Bugtraq mailing list archives
wrong facts about curl exploit
From: Daniel Stenberg <daniel () HAXX SE>
Date: Sun, 22 Oct 2000 10:32:54 +0200
Hi I am the main author of curl, the tool that appeared in the Remote Buffer Overflow Vulnerability reported on October 13th at http://www.securityfocus.com/bid/1804 ... the information and discussion are accurate, to the point and describes the problem (even if somewhat unspecific). However, what is bothering me: The described exploit is *entirely* wrong! The described exploit is a) not a remote buffer overflow b) not at all present in all those versions listed in the advisory. c) hardly an exploit since it just crashes older versions of the appliction. There's a "buffer overflow" example posted in the curl bug report system that would make a far better (and correct) example of how to crash curl using the posted flaw. I'd be happy to answer to any questions regarding this matter, and I would like to see that section of the advisory corrected. Thanks for an utterly important and useful service! -- Daniel Stenberg -- curl project maintainer -- http://curl.haxx.se/
Current thread:
- wrong facts about curl exploit Daniel Stenberg (Oct 24)