cURL / Mailing Lists / curl-users / Single Mail

curl-users

[martin@godisch.de: Bug#178473: curl: local user information leak]

From: Domenico Andreoli <cavok_at_filibusta.crema.unimi.it>
Date: Mon, 27 Jan 2003 18:02:19 +0100

hi again,

we have also this report... http://bugs.debian.org/178473

i never handled anything of this kind.

cheers
cavok

----- Forwarded message from Martin Godisch <martin_at_godisch.de> -----

Date: Sun, 26 Jan 2003 15:41:05 +0100
From: Martin Godisch <martin_at_godisch.de>
To: Debian Bug Tracking System <submit_at_bugs.debian.org>
Reply-To: Martin Godisch <martin_at_godisch.de>, 178473_at_bugs.debian.org
Subject: Bug#178473: curl: local user information leak

Package: curl
Version: 7.9.5-1
Severity: important
Tags: security

Passwords given to option -U are visible in the ps tree:

carlos:~/>curl -U user:pass some_url &; ps ax | grep curl | grep -v grep
[1] 26106
26106 pts/0 S 0:00 curl -U user:pass some_url

I suggest doing some kind of memset(optarg, '*', strlen(optarg)); when
curl parses its command line arguments.

Kind regards,

Martin

-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux carlos 2.4.21-pre3 #1 Fri Jan 10 11:09:00 CET 2003 i686
Locale: LANG=C, LC_CTYPE=de_DE

Versions of packages curl depends on:
ii libc6 2.2.5-11.2 GNU C Library: Shared libraries an
ii libcurl2 7.9.5-1 Multi-protocol file transfer libra

----- End forwarded message -----

-----[ Domenico Andreoli, aka cavok
 --[ http://filibusta.crema.unimi.it/~cavok/gpgkey.asc
   ---[ 3A0F 2F80 F79C 678A 8936 4FEE 0677 9033 A20E BC50

-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
Received on 2003-01-27