curl / Docs / Security / Kerberos Authentication Buffer Overflow

Kerberos Authentication Buffer Overflow

Kerberos Authentication Buffer Overflow

Date:February 21, 2005
IDBID 12616 CAN-2005-0490
Affected versions7.3 to and including 7.13.0
Not affected versions7.13.1 and later
AdvisoriesiDEFENSE's advisory

Due to bad usage of the base64 decode function to a stack-based buffer without checking the data length, it was possible for a malicious FTP server to overflow the client during krb4 negotiation. I don't know of any single user that uses krb4-ftp and I'm not even sure it still works 100%. The announcement was done without contacting us.