Re: curl: CVE-2023-28322 and CVE-2023-27534

To: <bunk@debian.org>
Cc: <debian-lts@lists.debian.org>
Subject: Re: curl: CVE-2023-28322 and CVE-2023-27534
From: <takahiro.terada@cybertrust.co.jp>
Date: Thu, 28 Dec 2023 10:37:55 +0900
Message-id: <[🔎] TYWPR01MB10178A177DEF228C8009AD8C6DD9EA@TYWPR01MB10178.jpnprd01.prod.outlook.com>

Hello Adrian,

I found a problem in the fix.

On Mon, 18 Dec 2023 15:22:11 +0200, Adrian Bunk wrote:
> For buster LTS I have now CVE-2023-28322 and CVE-2023-46218 fixed with [2]
> and plan to upload that.
> 
> Please let me know if anything looks wrong about that.
> ...
> [2] https://salsa.debian.org/debian/curl/-/commit/ab0405fcd6b2bf5fa5b3aa338da4689d0d6ca617

[2] has not been released and it actually looks like the following [3] has been
released.

  [3] https://salsa.debian.org/debian/curl/-/commit/b03db72939c3e6a50192a84f5e5e1205e5036efd

In the 0005-cookie-lowercase-the-domain-names-before-PSL-checks.patch in the
commit[3], the declaration of the "acceptable" variable was moved inside
"#ifdef USE_LIBPSL".
If we set "--without-libpsl" in configure, the "acceptable" is regarded as
undeclared. As a result, the following build error occurs.

| ../../curl-7.64.0/lib/cookie.c: In function 'Curl_cookie_add':
| ../../curl-7.64.0/lib/cookie.c:959:9: error: 'acceptable' undeclared (first use in this function); did you mean 'accept'?
|   959 |         acceptable = !bad_domain(co->domain);
|       |         ^~~~~~~~~~
|       |         accept

Best regards,
TERADA Takahiro

Reply to:

Prev by Date: Re: Debian 10 upgrade of amd64 firefox-esr fails
Next by Date: Re: Debian 10 upgrade of amd64 firefox-esr fails
Previous by thread: curl: CVE-2023-28322 and CVE-2023-27534
Next by thread: LTS Meeting Notes: 2023-12-21
Index(es):
- Date
- Thread