[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

curl: CVE-2023-28322 and CVE-2023-27534

Hello Adrian,

On Mon, 18 Dec 2023 at 10:22, Adrian Bunk <bunk@debian.org> wrote:
> For releases where it has been backported, I've added a link to a
> regression fix in the security tracker.[1]

Thank you, I remember seeing the regression fix somewhere and I forgot to apply
the fix.

> Regarding LTS, CVE-2023-46219 does not affect <= buster since
> CVE-2022-32207 was not present there.


> > fix the ldap issue (#1057855) on unstable, and then come back to
> > CVE-2023-27534 and CVE-2023-28322 (to be more confident on what to do).
> >...
> For buster LTS I have now CVE-2023-28322 and CVE-2023-46218 fixed with [2]
> and plan to upload that.
> Please let me know if anything looks wrong about that.

Awesome, I started looking into fixing CVE-2023-46218 for buster and stopped
when assessing the backport of the "Curl_strntolower" function.

I see that you backported the original function, and I recommend instead to
backport the latest version to take advantage of the further improvements done.
I didn't check all of the changes but there was at least one performance
improvement. I also stopped at the point where I was going to check how
feasible it was to backport the latest version of the function, so I don't know
if that brings up the need to backport other things.

Generally speaking I believe backporting the latest version of the function
will also make maintenance smoother, as more CVE fixes might require it in the
future and there's a lower risk of carrying a low-profile bug. That being said,
feel free to go ahead if you still prefer to use the original version of the

I have sent the debdiffs for the fixes for bullseye and bookworm (for their
respective affected CVEs) to the security team and I'm waiting on their ack.

Thank you,

Samuel Henrique <samueloph>

Reply to: