SECURITY:

Fix NT LAN Manager (NTLM) authentication handling. By sending a
specially crafted long NTLM reply packet, a remote attacker could
overflow the reply buffer.  This could lead to execution of arbitrary
attacker specified code with the privileges of the application using
the cURL library.  CAN-2005-0490.  From Ubuntu.

ok brad@, pval@

net/curl/Makefile

@@ -1,8 +1,9 @@
-# $OpenBSD: Makefile,v 1.45 2004/12/16 00:31:21 alek Exp $
+# $OpenBSD: Makefile,v 1.46 2005/03/14 22:52:20 naddy Exp $
 
 COMMENT=	"get files from FTP, Gopher, HTTP or HTTPS servers"
 
 DISTNAME=	curl-7.11.2
+PKGNAME=	${DISTNAME}p0
 CATEGORIES=	net
 MASTER_SITES=	http://curl.haxx.se/download/ \
 		ftp://ftp.sunet.se/pub/www/utilities/curl/ \

net/curl/patches/patch-lib_http_ntlm_c

@@ -0,0 +1,25 @@
+$OpenBSD: patch-lib_http_ntlm_c,v 1.1 2005/03/14 22:52:20 naddy Exp $
+--- lib/http_ntlm.c.orig	Mon Mar 14 21:15:15 2005
++++ lib/http_ntlm.c	Mon Mar 14 21:16:43 2005
+@@ -105,7 +105,6 @@ CURLntlm Curl_input_ntlm(struct connectd
+     header++;
+ 
+   if(checkprefix("NTLM", header)) {
+-    unsigned char buffer[256];
+     header += strlen("NTLM");
+ 
+     while(*header && isspace((int)*header))
+@@ -126,7 +125,12 @@ CURLntlm Curl_input_ntlm(struct connectd
+          32 (48) start of data block
+       */
+ 
+-      size_t size = Curl_base64_decode(header, (char *)buffer);
++      size_t size;
++      unsigned char *buffer = (unsigned char *)malloc(strlen(header));
++      if (buffer == NULL)
++        return CURLNTLM_BAD;
++
++      size = Curl_base64_decode(header, (char *)buffer);
+ 
+       ntlm->state = NTLMSTATE_TYPE2; /* we got a type-2 */
+