Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
Re: Microsoft on CVE-2021-22947
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Zakrzewski, Jakub via curl-library <curl-library_at_lists.haxx.se>
Date: Wed, 12 Jan 2022 16:42:31 +0000
> It isn't directly a RCE, but it seems like that might be a possibility -- say some process
> was using FTP/STARTTLS to download a script to run. If a MITM can interject content
> as the top of that script, that could be unpleasant.
Sorry but with that logic almost everything becomes an RCE.
It's not an RCE unless it can directly be used to run code. Changing script content
(however dangerous) is not causing it to run (and for sure not by curl itself).
Date: Wed, 12 Jan 2022 16:42:31 +0000
> It isn't directly a RCE, but it seems like that might be a possibility -- say some process
> was using FTP/STARTTLS to download a script to run. If a MITM can interject content
> as the top of that script, that could be unpleasant.
Sorry but with that logic almost everything becomes an RCE.
It's not an RCE unless it can directly be used to run code. Changing script content
(however dangerous) is not causing it to run (and for sure not by curl itself).
-- Unsubscribe: https://lists.haxx.se/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.htmlReceived on 2022-01-12