Buy commercial curl support. We
help you work out your issues, debug your libcurl applications, use the API,
port to new platforms, add new features and more. With a team lead by the
curl founder Daniel himself.
Re: Some questions about CVE-2017-7407
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Daniel Stenberg via curl-library <curl-library_at_lists.haxx.se>
Date: Wed, 18 Dec 2024 09:39:10 +0100 (CET)
On Wed, 18 Dec 2024, 陈星杵 via curl-library wrote:
> Sorry to bother you. I noticed that the "introduce commit" listed on the
> "https://curl.se/docs/CVE-2017-7407.html"is 90030a49c7facfefeca8, but when I
> checked the commit, there were no related code changes. I also found that
> commit "dfec172157" is the initial commit where the vulnerability file was
> introduced. So the truth introduce commit is "dfec172157"?
Thanks for checking and reporting. I think both hashes are wrong!
What could be considered the source of this (old) problem was this
condition/line:
else if('\\' == *ptr) {
At least that's the line we changed to fix the problem [1].
Tracing back through history, we can see that this line existed already back
here:
https://github.com/curl/curl/blob/curl-6_5/lib/writeout.c
That's curl 6.5 (much earlier than dfec172157), which the security advisory
says was affected.
This is before libcurl existed, but there was a lib directory because there
was already work going on toward a library. The file lib/writeout.c was
created in commit d073ec0a719bfa (introduced in 6.5) and seems to have the
vulnerable code path.
I therefore now believe d073ec0a719bfad2 [2] is the correct original commit
that introduced this problem.
Do you agree?
[1] = https://github.com/curl/curl/commit/8e65877870c1
[2] = https://github.com/curl/curl/commit/d073ec0a719bfad28
Date: Wed, 18 Dec 2024 09:39:10 +0100 (CET)
On Wed, 18 Dec 2024, 陈星杵 via curl-library wrote:
> Sorry to bother you. I noticed that the "introduce commit" listed on the
> "https://curl.se/docs/CVE-2017-7407.html"is 90030a49c7facfefeca8, but when I
> checked the commit, there were no related code changes. I also found that
> commit "dfec172157" is the initial commit where the vulnerability file was
> introduced. So the truth introduce commit is "dfec172157"?
Thanks for checking and reporting. I think both hashes are wrong!
What could be considered the source of this (old) problem was this
condition/line:
else if('\\' == *ptr) {
At least that's the line we changed to fix the problem [1].
Tracing back through history, we can see that this line existed already back
here:
https://github.com/curl/curl/blob/curl-6_5/lib/writeout.c
That's curl 6.5 (much earlier than dfec172157), which the security advisory
says was affected.
This is before libcurl existed, but there was a lib directory because there
was already work going on toward a library. The file lib/writeout.c was
created in commit d073ec0a719bfa (introduced in 6.5) and seems to have the
vulnerable code path.
I therefore now believe d073ec0a719bfad2 [2] is the correct original commit
that introduced this problem.
Do you agree?
[1] = https://github.com/curl/curl/commit/8e65877870c1
[2] = https://github.com/curl/curl/commit/d073ec0a719bfad28
-- / daniel.haxx.se || https://rock-solid.curl.dev
-- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2024-12-18