On 2016-12-23 17:54:11, Ola Lundqvist wrote:
> Hi
>
> I have looked into CVE-2016-9586 affecting curl.
> What I'm trying to figure out is whether it is worth the effort to fix
> it or not.
>
> More info here:
> https://curl.haxx.se/docs/adv_20161221A.html
>
> 1) There are no known exploits -> minor issue (?)
"No known exploits" is mostly irrelevant, the severity of the issue
is. In this case, a buffer overflow is severe enough to warrant action,
in my opinion.
> 2) The functions have been documented as deprecated for a long time
Considering how old the software in wheezy is, this may mean we still
have some of those tools. :)
> 3) The problem only occur on applications without proper input
> sanitizing (and using curl_mprintf) so one could even argue that this
> is not really a fault in curl at all.
This I am more convinced by: it's the format string, not the argument,
so it's less likely to be an attack vector. But as guido said, we can't
review all the instances and we should fix this anyways.
A.
--
A man is none the less a slave because he is allowed to choose a new
master once in a term of years.
- Lysander Spooner