Call for advice regarding curl CVE-2016-9586
Hi
I have looked into CVE-2016-9586 affecting curl.
What I'm trying to figure out is whether it is worth the effort to fix
it or not.
More info here:
https://curl.haxx.se/docs/adv_20161221A.html
1) There are no known exploits -> minor issue (?)
2) The functions have been documented as deprecated for a long time
3) The problem only occur on applications without proper input
sanitizing (and using curl_mprintf) so one could even argue that this
is not really a fault in curl at all.
Due to this I could argue that it would mean a no-dsa tag.
However the patch is quite simple so maybe it would be worth fixing anyway.
Also it is for a library and we do not really know how libraries are used.
So what do you think?
Best regards
// Ola
--
--- Inguza Technology AB --- MSc in Information Technology ----
/ ola@inguza.com Folkebogatan 26 \
| opal@debian.org 654 68 KARLSTAD |
| http://inguza.com/ Mobile: +46 (0)70-332 1551 |
\ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /
---------------------------------------------------------------
Reply to: