Hello Adrian, I found a problem in the fix.
On Mon, 18 Dec 2023 15:22:11 +0200, Adrian Bunk wrote: > For buster LTS I have now CVE-2023-28322 and CVE-2023-46218 fixed with [2] > and plan to upload that. > > Please let me know if anything looks wrong about that. > ... > [2] > https://salsa.debian.org/debian/curl/-/commit/ab0405fcd6b2bf5fa5b3aa338da4689d0d6ca617 [2] has not been released and it actually looks like the following [3] has been released. [3] https://salsa.debian.org/debian/curl/-/commit/b03db72939c3e6a50192a84f5e5e1205e5036efd In the 0005-cookie-lowercase-the-domain-names-before-PSL-checks.patch in the commit[3], the declaration of the "acceptable" variable was moved inside "#ifdef USE_LIBPSL". If we set "--without-libpsl" in configure, the "acceptable" is regarded as undeclared. As a result, the following build error occurs. | ../../curl-7.64.0/lib/cookie.c: In function 'Curl_cookie_add': | ../../curl-7.64.0/lib/cookie.c:959:9: error: 'acceptable' undeclared (first use in this function); did you mean 'accept'? | 959 | acceptable = !bad_domain(co->domain); | | ^~~~~~~~~~ | | accept Best regards, TERADA Takahiro
