Buy commercial curl support. We
help you work out your issues, debug your libcurl applications, use the API,
port to new platforms, add new features and more. With a team lead by the
curl founder Daniel himself.
Re: Some question about CVE-2020-8231
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Daniel Stenberg via curl-library <curl-library_at_lists.haxx.se>
Date: Thu, 2 Jan 2025 10:00:07 +0100 (CET)
On Thu, 2 Jan 2025, ³ÂÐÇèÆ via curl-library wrote:
> Hello! Sorry to bother you. I notice that CVE-2020-8231[1] is a Expired
> Pointer Dereference Vulnerability, and the patch[2] fixes 5 files. I know
> the c43127414d[3] is introduced commit of the lib/connect.c. At the same
> time, I find the introduced commit of the lib/multi.c is 575e885db0. So I
> want to know which one is the real Vulnerability introduced commit, and why?
This is becoming a pattern. You've asked for details for serveral CVE fixes
already and so far I have only confirmed that the published information is
correct.
Figuring out the exact commit that introduced a problem is tedious work but I
always try to do that with care and accuracy so that the information to users
become as good as possible. Usually I try to track down when a specific code
pattern was introduced, which might have moved around across different sources
files over the years. Often it is hard to actually build and reproduce the
problem with the (really) old versions so I typically then make a judgement
call without actually proving it.
Details for a problem published several years ago of course now has a
shrinking importance. Spending a lot of energy to research a 2020 issues seems
like maybe not worth it anymore?
> I find the introduced commit of the lib/multi.c is 575e885db0.
Please elaborate. Which exact change was done in this commit that makes you
believe it introduced the problem?
Date: Thu, 2 Jan 2025 10:00:07 +0100 (CET)
On Thu, 2 Jan 2025, ³ÂÐÇèÆ via curl-library wrote:
> Hello! Sorry to bother you. I notice that CVE-2020-8231[1] is a Expired
> Pointer Dereference Vulnerability, and the patch[2] fixes 5 files. I know
> the c43127414d[3] is introduced commit of the lib/connect.c. At the same
> time, I find the introduced commit of the lib/multi.c is 575e885db0. So I
> want to know which one is the real Vulnerability introduced commit, and why?
This is becoming a pattern. You've asked for details for serveral CVE fixes
already and so far I have only confirmed that the published information is
correct.
Figuring out the exact commit that introduced a problem is tedious work but I
always try to do that with care and accuracy so that the information to users
become as good as possible. Usually I try to track down when a specific code
pattern was introduced, which might have moved around across different sources
files over the years. Often it is hard to actually build and reproduce the
problem with the (really) old versions so I typically then make a judgement
call without actually proving it.
Details for a problem published several years ago of course now has a
shrinking importance. Spending a lot of energy to research a 2020 issues seems
like maybe not worth it anymore?
> I find the introduced commit of the lib/multi.c is 575e885db0.
Please elaborate. Which exact change was done in this commit that makes you
believe it introduced the problem?
-- / daniel.haxx.se || https://rock-solid.curl.dev
-- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2025-01-02