Buy commercial curl support. We
help you work out your issues, debug your libcurl applications, use the API,
port to new platforms, add new features and more. With a team lead by the
curl founder Daniel himself.
Some question about CVE-2022-35260
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: 陈星杵 via curl-library <curl-library_at_lists.haxx.se>
Date: Thu, 2 Jan 2025 17:40:15 +0800 (GMT+08:00)
Hello! As stated on the website,the root cause about CVE-2022-35260[1] is the fgets lack the check of '\n', so curl can read past the end of the stack-based buffer. On this basis, I think the root cause is the line 85 of the patch, but the website show me the eeaae10c0fb27aa06[2] is the Vulnerability introduced commit. I want to know Where did my understanding go wrong.
Thanks very much!
[1] https://curl.se/docs/CVE-2022-35260.html
[2] https://github.com/curl/curl/commit/eeaae10c0fb27aa06
Date: Thu, 2 Jan 2025 17:40:15 +0800 (GMT+08:00)
Hello! As stated on the website,the root cause about CVE-2022-35260[1] is the fgets lack the check of '\n', so curl can read past the end of the stack-based buffer. On this basis, I think the root cause is the line 85 of the patch, but the website show me the eeaae10c0fb27aa06[2] is the Vulnerability introduced commit. I want to know Where did my understanding go wrong.
Thanks very much!
[1] https://curl.se/docs/CVE-2022-35260.html
[2] https://github.com/curl/curl/commit/eeaae10c0fb27aa06
-- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2025-01-02