Call for advice regarding curl CVE-2016-9586

To: Debian LTS <debian-lts@lists.debian.org>
Subject: Call for advice regarding curl CVE-2016-9586
From: Ola Lundqvist <ola@inguza.com>
Date: Fri, 23 Dec 2016 23:54:11 +0100
Message-id: <[🔎] CABY6=0khq=WiDt1C=eWWGtvo-Th1nG=0+vn3g5iULUjJO+CZPg@mail.gmail.com>

Hi

I have looked into CVE-2016-9586 affecting curl.
What I'm trying to figure out is whether it is worth the effort to fix
it or not.

More info here:
https://curl.haxx.se/docs/adv_20161221A.html

1) There are no known exploits -> minor issue (?)
2) The functions have been documented as deprecated for a long time
3) The problem only occur on applications without proper input
sanitizing (and using curl_mprintf) so one could even argue that this
is not really a fault in curl at all.

Due to this I could argue that it would mean a no-dsa tag.

However the patch is quite simple so maybe it would be worth fixing anyway.
Also it is for a library and we do not really know how libraries are used.

So what do you think?

Best regards

// Ola

-- 
 --- Inguza Technology AB --- MSc in Information Technology ----
/  ola@inguza.com                    Folkebogatan 26            \
|  opal@debian.org                   654 68 KARLSTAD            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
 ---------------------------------------------------------------

Reply to:

Follow-Ups:
- Re: Call for advice regarding curl CVE-2016-9586
  - From: Guido Günther <agx@sigxcpu.org>
- Re: Call for advice regarding curl CVE-2016-9586
  - From: Antoine Beaupré <anarcat@orangeseeds.org>

Prev by Date: Wheezy update of apche2?
Next by Date: Wheezy update of apache2?
Previous by thread: Wheezy update of apche2?
Next by thread: Re: Call for advice regarding curl CVE-2016-9586
Index(es):
- Date
- Thread