[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Call for advice regarding curl CVE-2016-9586



Hi

I have looked into CVE-2016-9586 affecting curl.
What I'm trying to figure out is whether it is worth the effort to fix
it or not.

More info here:
https://curl.haxx.se/docs/adv_20161221A.html

1) There are no known exploits -> minor issue (?)
2) The functions have been documented as deprecated for a long time
3) The problem only occur on applications without proper input
sanitizing (and using curl_mprintf) so one could even argue that this
is not really a fault in curl at all.

Due to this I could argue that it would mean a no-dsa tag.

However the patch is quite simple so maybe it would be worth fixing anyway.
Also it is for a library and we do not really know how libraries are used.

So what do you think?

Best regards

// Ola

-- 
 --- Inguza Technology AB --- MSc in Information Technology ----
/  ola@inguza.com                    Folkebogatan 26            \
|  opal@debian.org                   654 68 KARLSTAD            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
 ---------------------------------------------------------------


Reply to: