curl / Docs / Security Problems / Kerberos Authentication Buffer Overflow

Kerberos Authentication Buffer Overflow

Project curl Security Advisory, February 21st 2005 - Permalink


Due to bad usage of the base64 decode function to a stack-based buffer without checking the data length, it was possible for a malicious FTP server to overflow the client during krb4 negotiation. I don't know of any single user that uses krb4-ftp and I'm not even sure it still works 100%. The announcement was done without contacting us.


The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2005-0490 to this issue.

CWE-121: Stack-based Buffer Overflow