Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
Re: Backporting CVE-2022-27774 fixes to older curl
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Roberto C. Sánchez via curl-library <curl-library_at_lists.haxx.se>
Date: Sat, 31 Dec 2022 09:54:53 -0500
On Thu, Dec 29, 2022 at 12:12:34PM +0100, Kamil Dudka wrote:
> On Thursday, December 29, 2022 11:56:59 AM CET Kamil Dudka wrote:
> >
> > You can have a look how I backported the fixes, including the regression tests,
> > for curl-7.76.1 in CentOS Stream:
> >
> > https://gitlab.com/redhat/centos-stream/rpms/curl/-/blob/c9s/0013-curl-7.76.1-CVE-2022-27774.patch
>
> ... or the more complicated backport for curl-7.61.1, which also passes
> the upstream tests:
>
> https://gitlab.com/redhat/centos-stream/rpms/curl/-/blob/c8s/0038-curl-7.61.1-CVE-2022-27774.patch
>
Kamil,
Thank you! These patches were extremely helpful in developing a working
fix for CVE-2022-27774 in Debian. My first stop was 7.74.0, which
looked quite close to your patch for 7.76.1, with just a small bit of
teaking. The upstream unit tests were most helpful here. The next
stops are 7.64.0, then 7.52.1, and 7.38.0. My hope is that your 7.61.1
patch requires little to no change for 7.64.0 and perhaps some minor
tweaking for 7.52.1. It is not clear what will happen with 7.38.0,
given how old it is. However, I will make an attempt.
Once I have completed all the backporting and ensured that the fix works
and the tests pass I will post a complete set of patches, as well as any
commentary on obstacles I might not have been able to overcome, for
those who are interested.
Regards,
-Roberto
Date: Sat, 31 Dec 2022 09:54:53 -0500
On Thu, Dec 29, 2022 at 12:12:34PM +0100, Kamil Dudka wrote:
> On Thursday, December 29, 2022 11:56:59 AM CET Kamil Dudka wrote:
> >
> > You can have a look how I backported the fixes, including the regression tests,
> > for curl-7.76.1 in CentOS Stream:
> >
> > https://gitlab.com/redhat/centos-stream/rpms/curl/-/blob/c9s/0013-curl-7.76.1-CVE-2022-27774.patch
>
> ... or the more complicated backport for curl-7.61.1, which also passes
> the upstream tests:
>
> https://gitlab.com/redhat/centos-stream/rpms/curl/-/blob/c8s/0038-curl-7.61.1-CVE-2022-27774.patch
>
Kamil,
Thank you! These patches were extremely helpful in developing a working
fix for CVE-2022-27774 in Debian. My first stop was 7.74.0, which
looked quite close to your patch for 7.76.1, with just a small bit of
teaking. The upstream unit tests were most helpful here. The next
stops are 7.64.0, then 7.52.1, and 7.38.0. My hope is that your 7.61.1
patch requires little to no change for 7.64.0 and perhaps some minor
tweaking for 7.52.1. It is not clear what will happen with 7.38.0,
given how old it is. However, I will make an attempt.
Once I have completed all the backporting and ensured that the fix works
and the tests pass I will post a complete set of patches, as well as any
commentary on obstacles I might not have been able to overcome, for
those who are interested.
Regards,
-Roberto
-- Roberto C. Sánchez -- Unsubscribe: https://lists.haxx.se/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2022-12-31