[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: curl: CVE-2023-28322 and CVE-2023-27534

Hello Adrian,

I found a problem in the fix.

On Mon, 18 Dec 2023 15:22:11 +0200, Adrian Bunk wrote:
> For buster LTS I have now CVE-2023-28322 and CVE-2023-46218 fixed with [2]
> and plan to upload that.
> Please let me know if anything looks wrong about that.
> ...
> [2] https://salsa.debian.org/debian/curl/-/commit/ab0405fcd6b2bf5fa5b3aa338da4689d0d6ca617

[2] has not been released and it actually looks like the following [3] has been

  [3] https://salsa.debian.org/debian/curl/-/commit/b03db72939c3e6a50192a84f5e5e1205e5036efd

In the 0005-cookie-lowercase-the-domain-names-before-PSL-checks.patch in the
commit[3], the declaration of the "acceptable" variable was moved inside
"#ifdef USE_LIBPSL".
If we set "--without-libpsl" in configure, the "acceptable" is regarded as
undeclared. As a result, the following build error occurs.

| ../../curl-7.64.0/lib/cookie.c: In function 'Curl_cookie_add':
| ../../curl-7.64.0/lib/cookie.c:959:9: error: 'acceptable' undeclared (first use in this function); did you mean 'accept'?
|   959 |         acceptable = !bad_domain(co->domain);
|       |         ^~~~~~~~~~
|       |         accept

Best regards,
TERADA Takahiro

Reply to: