[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

curl: CVE-2023-28322 and CVE-2023-27534

Hello Markus,

On Thu, 30 Nov 2023 at 06:36, Markus Koschany <apo@debian.org> wrote:
> I have recently triaged CVE-2023-28322 and CVE-2023-27534 for curl as ignored
> for Buster because I believe those are minor issues. Since you expressed
> interest as the maintainer of curl to fix potential security vulnerabilities, I
> am asking you for your assessment. Are you (or someone else reading the list)
> interested in fixing those CVE?

I have not had time to properly look at this yet, but I agree with not
backporting the dynbuf functions for CVE-2023-27534 (at least from what I've
seen so far).

> My reasoning to ignore CVE-2023-28322 is, it does not affect the command line
> tool and even a use after free is not present in libcurl.

I'm not sure I understand this, I read it as "we are not affected at all" but
you're not explaining why there's no use after free. I haven't reviewed the
code so I wonder if you're talking about something trivial that I'll spot once
I dedicate more time to it.

To give you a rough timeline for changes, my current priorities for curl right
now are to get the fixes for CVE-2023-46218 and CVE-2023-46219 on all affected
releases, fix the ldap issue (#1057855) on unstable, and then come back to
CVE-2023-27534 and CVE-2023-28322 (to be more confident on what to do).

I appreciate the reach out.

Thank you,

Samuel Henrique <samueloph>

Reply to: