The problem can be corrected by upgrading the affected package to
version 7.12.0.is.7.11.2-1ubuntu0.3 (for Ubuntu 4.10),
7.12.3-2ubuntu3.5 (libcurl3 for Ubuntu 5.04), 1:7.11.2-12ubuntu3.3
(libcurl2 for Ubuntu 5.04), or 7.14.0-2ubuntu1.2 (for Ubuntu 5.10).
In general, a standard system upgrade is sufficient to effect the
Stefan Esser discovered several buffer overflows in the handling of
URLs. By attempting to load an URL with a specially crafted invalid
hostname, a local attacker could exploit this to execute arbitrary
code with the privileges of the application that uses the cURL
It is not possible to trick cURL into loading a malicious URL with an
HTTP redirect, so this vulnerability was usually not exploitable
remotely. However, it could be exploited locally to e. g. circumvent
PHP security restrictions.