Re: curl: CVE-2023-28322 and CVE-2023-27534

2023-12-18 Thread Adrian Bunk 
On Sat, Dec 16, 2023 at 10:39:08PM -0300, Samuel Henrique wrote:
>...
> On Thu, 30 Nov 2023 at 06:36, Markus Koschany  wrote:
> > I have recently triaged CVE-2023-28322 and CVE-2023-27534 for curl as 
> > ignored
> > for Buster because I believe those are minor issues. Since you expressed
> > interest as the maintainer of curl to fix potential security 
> > vulnerabilities, I
> > am asking you for your assessment. Are you (or someone else reading the 
> > list)
> > interested in fixing those CVE?
> 
> I have not had time to properly look at this yet, but I agree with not
> backporting the dynbuf functions for CVE-2023-27534 (at least from what I've
> seen so far).

I'd agree with that assessment.

For releases where it has been backported, I've added a link to a 
regression fix in the security tracker.[1]

>...
> To give you a rough timeline for changes, my current priorities for curl right
> now are to get the fixes for CVE-2023-46218 and CVE-2023-46219 on all affected
> releases,

Regarding LTS, CVE-2023-46219 does not affect <= buster since 
CVE-2022-32207 was not present there.

> fix the ldap issue (#1057855) on unstable, and then come back to
> CVE-2023-27534 and CVE-2023-28322 (to be more confident on what to do).
>...

For buster LTS I have now CVE-2023-28322 and CVE-2023-46218 fixed with [2]
and plan to upload that.

Please let me know if anything looks wrong about that.

cu
Adrian

[1] https://deb.freexian.com/extended-lts/tracker/CVE-2023-27534
[2] 
https://salsa.debian.org/debian/curl/-/commit/ab0405fcd6b2bf5fa5b3aa338da4689d0d6ca617

curl: CVE-2023-28322 and CVE-2023-27534

2023-12-18 Thread Samuel Henrique 
Hello Adrian,

On Mon, 18 Dec 2023 at 10:22, Adrian Bunk  wrote:
> For releases where it has been backported, I've added a link to a
> regression fix in the security tracker.[1]

Thank you, I remember seeing the regression fix somewhere and I forgot to apply
the fix.

> Regarding LTS, CVE-2023-46219 does not affect <= buster since
> CVE-2022-32207 was not present there.

Yes.

> > fix the ldap issue (#1057855) on unstable, and then come back to
> > CVE-2023-27534 and CVE-2023-28322 (to be more confident on what to do).
> >...
>
> For buster LTS I have now CVE-2023-28322 and CVE-2023-46218 fixed with [2]
> and plan to upload that.
>
> Please let me know if anything looks wrong about that.

Awesome, I started looking into fixing CVE-2023-46218 for buster and stopped
when assessing the backport of the "Curl_strntolower" function.

I see that you backported the original function, and I recommend instead to
backport the latest version to take advantage of the further improvements done.
I didn't check all of the changes but there was at least one performance
improvement. I also stopped at the point where I was going to check how
feasible it was to backport the latest version of the function, so I don't know
if that brings up the need to backport other things.

Generally speaking I believe backporting the latest version of the function
will also make maintenance smoother, as more CVE fixes might require it in the
future and there's a lower risk of carrying a low-profile bug. That being said,
feel free to go ahead if you still prefer to use the original version of the
function.

I have sent the debdiffs for the fixes for bullseye and bookworm (for their
respective affected CVEs) to the security team and I'm waiting on their ack.

Thank you,

-- 
Samuel Henrique