Re: Call for advice regarding curl CVE-2016-9586
Hi Ola,
On Fri, Dec 23, 2016 at 11:54:11PM +0100, Ola Lundqvist wrote:
> Hi
>
> I have looked into CVE-2016-9586 affecting curl.
> What I'm trying to figure out is whether it is worth the effort to fix
> it or not.
>
> More info here:
> https://curl.haxx.se/docs/adv_20161221A.html
>
> 1) There are no known exploits -> minor issue (?)
This can change at any time.
> 2) The functions have been documented as deprecated for a long time
> 3) The problem only occur on applications without proper input
> sanitizing (and using curl_mprintf) so one could even argue that this
> is not really a fault in curl at all.
>
> Due to this I could argue that it would mean a no-dsa tag.
>
> However the patch is quite simple so maybe it would be worth fixing anyway.
> Also it is for a library and we do not really know how libraries are
> used.
The curl_mvprintf functions seem to invoke dprintf_formatf so it would
be time consuming to check if anythng in Debian is affected. Given the
simplicity of the patch I'd rather fix it than not.
Cheers,
-- Guido
>
> So what do you think?
Reply to: